Skip to content

Tuoni 0.10.0

No more "API ERRORS", Server settings, Server jobs and much more...

🖥️ CLIENT

Terminal Improvements

  • Terminal arguments now support "fuzzy-complete": execute-assembly --par + tab will complete to execute-assembly --parameters
  • Terminal unfinished command is now cached when clicking around in the UI (tabs, pages)
  • Command errors are now visible in the terminal
  • Added several layers of failsafes to avoid rendering overly large command results in the terminal
  • If file is omitted by the server, a download option appears
  • Additional option to show "last 500 lines" of the result is now offered
  • Improved the preview of downloaded files

Agent Management

  • Improved "remove-all-agents" feature, it is now instantaneous
  • All agent.metadata.customProperties fields are now searchable. Even the ones not pre-defined by default
  • Sorting by "last" column in agents table now works again
  • It is now possible to specify a file in the "send-command-to-all" dialog

UI Enhancements

  • Changed icon on Files page to better indicate if file can be downloaded
  • All listeners are now visible, removed hidden pagination
  • Added a feature to edit server settings & configurations
  • 3rd party listeners are now supported in the Client. Migrated most of plugins to use universal listener dialog
  • Added support to specify Java keystore for HTTPs listener in the client

Command & Job Management

  • Inject command alias now works correctly
  • Added jobs page to manage all server side jobs
  • Major overhaul of error handling. No more generic "API - error"

New Features

  • Added new python shellcode launchers by @palangosjuze

⚙️ SERVER

Listener Enhancements

  • HTTP listener now validates HOSTS entries for valid IPv4, IPv6 and domain names
  • HTTP listener now has validation for port ranges
  • HTTPS listener now supports selecting alias from the Java keystore for certificates
  • Enhanced Listener configuration stability

API Improvements

  • Agents API now sends payloadId with agent metadata if provided by the payload plugin
  • Fixed issue with agents sometimes getting empty metadata
  • Files API now sends supportedActions indicating if file can be deleted
  • Tuoni API now omits large text results from batch queries. They need to be requested implicitly. This improves performance all around

Command & Job Functionality

  • BOF command --pack_args now supports fewer arguments than defined in --pack_format
  • Added run-as native command
  • Added API support for background jobs

Server Configuration

  • Added a new feature - "server settings". It's now possible to specify:
  • Name for the server
  • If agents should be automatically set to inactive (removed) when "die" command is sent

🔒 COMMERCIAL

Linux Payload Improvements

  • Linux payload is now embedded, making it "true elf". This makes Tuoni Linux payload compatible with the load-elf command and alternatives. Also enhances the compatibility with various Linux distributions and overall stability
  • Fixed issue with Linux payload Domain Fronting feature
  • Linux listener configuration is now encoded
  • Linux and BSD payloads and HTTP listener can handle high volume text results better
  • Linux and BSD ls command now supports file globbing

Windows Payload Enhancements

  • Windows payload template can now be specified in the payload configuration, making it easy to quickly switch between various templates
  • Windows payload template can also be specified as a URL to fetch it remotely
  • Added support for custom Windows shellcode encoding in the commercial payload
  • Windows payload now implements import table randomization by default giving it unique imphash on every payload generation

🚀 New Contributors

  • @palangosjuze: https://github.com/shell-dot/tuoni/pull/66
  • @se-fLa: https://github.com/shell-dot/tuoni-pip/pull/4
  • @karlkr: https://github.com/shell-dot/tuoni-pip/pull/3