Tuoni 0.10.0
No more "API ERRORS", Server settings, Server jobs and much more...
🖥️ CLIENT
Terminal Improvements
- Terminal arguments now support "fuzzy-complete":
execute-assembly --par
+tab
will complete toexecute-assembly --parameters
- Terminal unfinished command is now cached when clicking around in the UI (tabs, pages)
- Command errors are now visible in the terminal
- Added several layers of failsafes to avoid rendering overly large command results in the terminal
- If file is omitted by the server, a
download
option appears - Additional option to show "last 500 lines" of the result is now offered
- Improved the preview of downloaded files
Agent Management
- Improved "remove-all-agents" feature, it is now instantaneous
- All
agent.metadata.customProperties
fields are now searchable. Even the ones not pre-defined by default - Sorting by "last" column in agents table now works again
- It is now possible to specify a file in the "send-command-to-all" dialog
UI Enhancements
- Changed icon on Files page to better indicate if file can be downloaded
- All listeners are now visible, removed hidden pagination
- Added a feature to edit server settings & configurations
- 3rd party listeners are now supported in the Client. Migrated most of plugins to use universal listener dialog
- Added support to specify Java keystore for HTTPs listener in the client
Command & Job Management
Inject
command alias now works correctly- Added
jobs
page to manage all server side jobs - Major overhaul of error handling. No more generic "API - error"
New Features
- Added new python shellcode launchers by @palangosjuze
⚙️ SERVER
Listener Enhancements
- HTTP listener now validates HOSTS entries for valid IPv4, IPv6 and domain names
- HTTP listener now has validation for port ranges
- HTTPS listener now supports selecting alias from the Java keystore for certificates
- Enhanced Listener configuration stability
API Improvements
- Agents API now sends payloadId with agent metadata if provided by the payload plugin
- Fixed issue with agents sometimes getting empty metadata
- Files API now sends supportedActions indicating if file can be deleted
- Tuoni API now omits large text results from batch queries. They need to be requested implicitly. This improves performance all around
Command & Job Functionality
- BOF command
--pack_args
now supports fewer arguments than defined in--pack_format
- Added
run-as
native command - Added API support for background jobs
Server Configuration
- Added a new feature - "server settings". It's now possible to specify:
- Name for the server
- If agents should be automatically set to inactive (removed) when "die" command is sent
🔒 COMMERCIAL
Linux Payload Improvements
- Linux payload is now embedded, making it "true elf". This makes Tuoni Linux payload compatible with the
load-elf
command and alternatives. Also enhances the compatibility with various Linux distributions and overall stability - Fixed issue with Linux payload Domain Fronting feature
- Linux listener configuration is now encoded
- Linux and BSD payloads and HTTP listener can handle high volume text results better
- Linux and BSD
ls
command now supports file globbing
Windows Payload Enhancements
- Windows payload template can now be specified in the payload configuration, making it easy to quickly switch between various templates
- Windows payload template can also be specified as a URL to fetch it remotely
- Added support for custom Windows shellcode encoding in the commercial payload
- Windows payload now implements import table randomization by default giving it unique imphash on every payload generation
🚀 New Contributors
- @palangosjuze: https://github.com/shell-dot/tuoni/pull/66
- @se-fLa: https://github.com/shell-dot/tuoni-pip/pull/4
- @karlkr: https://github.com/shell-dot/tuoni-pip/pull/3