In our walk in linux, there comes a point where we need to hack ( pentest ) in a safe environment. The first thing we usually do is install Virtualization Softwares and install all the distros our system can take. In stages of hacking, to compromise the victim machine, we need some sort of program to infect the system. The down-side is, AntiVirus products have signatures of favourite Metasploit files and to successfully compromise the victim, we need to disable this products which isn't what we will be doing in real life. This calls for the development of our own program. Today, we touch on one of the many programs ( payloads actually ), that is, a reverse tcp program.
Reverse TCP: In a normal forward connection, a client connects to a server through the server's open port, but in the case of a reverse connection, the client opens the port that the server connects to. The most common way a reverse connection is used is to bypass firewall and router security restrictions.
For example, a backdoor running on a computer behind a firewall that blocks incoming connections can easily open an outbound connection to a remote host on the Internet. Once the connection is established, the remote host can send commands to the backdoor.This method of communication is helpful because starting a local shell on a victim machine can be easily and even without user control be detected by the system itself.
In this series, we will be developing a reverse tcp program in python. Why should this be in parts ? This is because, with every part we introduce a new function or command or code into our shell making it more flexible. We are going to build our shell from ground up into a devastaing awesome fantastic fabulous catastrophic delicious ... ( I think thats enough ) shell.
In today's tutorial, we are going to initiate a connection, send and receive outputs. Lets begin ...
ATTACKER'S SERVER SIDE
As the attacker, I stated earlier that we cannot initiate the connection and become a client because this could raise flags or we could be blocked even by a simple firewall. However, we can become the server and then reverse the connection to send commands to the client. We setup sockets and reverse the connection.
Lets break it down, shall we ?
- TODO: Strip subprocess as sp from the import statements. Its not needed now.
- We accept socket information from the sys.argv module
- We setup the socket, bind the socket and listen for connections on the socket
- Should any come through, we accept and print a message
- We run our script into a while loop to send commands and receive output
- If an entered command is empty, we skip to the while loop again
- If not, should the command be exit(), we send the command to the client and close our local sockets also.
- If any of the last two lines above does not come in, we send the comand and receive the output. The client obeys a rule by appending the output size to the output ( We will go into that in the client side )
- We strip the output size and assign it to total_size. The rest of the output is assigned to result.
- If the sent output size does not match the length of the received output in the result variable. We run into a while loop opening the connection to receive the remaining data and updating the length of the result variable until the total_size is less or equal to the length of the result variable.
- We print the results and strip the last annoying new line string.
- If anything should fail, the socket is closed
That wasn't hard right !!. I would not be explaining line by line as our shell becomes complex, only the needed and important parts. Lets write our client socket.VICTIM'S CLIENT SIDE
The victim connects to us so the codes shouldn't be much.
Lets break it down, shall we ?
- We accept socket information from the sys.argv module through command-line ( We will deal with that later ).
- We setup the socket and connect to the assigned address
- If connected, we receive the command sent by the server
- If the command is not exit(), pipe and execute the command. The output of the executed command is assigned to the variable sh
- ( out, err ) are the standard stdout and stderr streams.
- We assign the output of the streams to the result variable.
- The length is 16 bytes long to help the server ( attacker ) identify the size
- We calculate the length and send it appended by the output
- Else: If the received command is exit(), we break the loop and close the connection.
Lets execute our attacker ( server ) script and see what we've got
root@Sploit:~/Desktop# python reverseTcp.py '' 8000
The client should connect passing the host information on the command line.
root@Sploit:~/Desktop# python connect.py 127.0.0.1 8000
Here is a screenshot of the attacker's server script:
As expected, the client console should be empty because we aren't printing anything.1 FUTURE SCREENSHOT
Hope you stay tuned.LETS END IT - CONCLUSION
We have simply created our reverse tcp connection and now we will move on to writing some basic functions to help us and also maybe add some colours. The code however can be implemented on the windows machine although the operating system is not our choice of platform for this series.
Corrections, Modifications, Updates are welcome.