How To Make A Reverse TCP Backdoor In Python - Part 2


(Sergeant Sploit) #1

In our walk in linux, there comes a point where we need to hack ( pentest ) in a safe environment. The first thing we usually do is install Virtualization Softwares and install all the distros our system can take. In stages of hacking, to compromise the victim machine, we need some sort of program to infect the system. The down-side is: AntiVirus products have signatures of favourite Metasploit files and to successfully compromise the victim, we need to disable this products which isn’t what we will be doing in real life. This calls for the development of our own program. Today, we touch on one of the many programs ( payloads actually ), that is, a reverse tcp program.

Reverse TCP: In a normal forward connection, a client connects to a server through the server’s open port, but in the case of a reverse connection, the client opens the port that the server connects to. The most common way a reverse connection is used is to bypass firewall and router security restrictions.

For example, a backdoor running on a computer behind a firewall that blocks incoming connections can easily open an outbound connection to a remote host on the Internet. Once the connection is established, the remote host can send commands to the backdoor.This method of communication is helpful because starting a local shell on a victim machine can be easily and even without user control be detected by the system itself.

In this series, we will be developing a reverse tcp program in python. Why should this be in parts ? This is because, with every part we introduce a new function or command or code into our shell making it more flexible. We are going to build our shell from ground up into a devastaing awesome fantastic fabulous catastrophic delicious … ( I think thats enough ) shell.

In today’s tutorial, we are going to make the shell a little nice abit. Lets begin with the server ( attacker ) script.

SCRIPTING: THE IMPORT STATEMENTS

This will be our new import statement

#!/usr/bin/env python
import socket, sys, os

Nice !!

SCRIPTING: THE SCRIPT COLOUR FUNCTION

This function is going to spawn our shell into a beautiful shell.




This function decorates any text passed to it with the specified colour. It accepts:

  1. “r” or “red” - Red
  2. “g” or “green” - Green
  3. “b” or “blue” - Blue
  4. “y” or “yellow” - Yellow
  5. “lgray” - Light Gray
  6. “underline” - Underline Text
  7. “strike” - Strikes Text

SCRIPTING: THE BANNER FUNCTION

All these introduced functions are not necessary but improve the user experience. We ( You ) can customize it as we ( you ) please.




EDIT: I changed my “lgray” to “gray”. As I stated earlier, we can change it as we please.

This function as you already understand returns the text to the caller.

SCRIPTING: THE MAIN CONTROL FUNCTION

This function takes over the server socket. In the previous tutorial, we didn’t use any function and wrote raw codes. Those raw codes are now written into this function with some pretty good modifications.




Don’t panic yet. A close look at the code brings understanding. Lets break it down, shall we ?

  1. We accept the socket information and pass it to the respective variables host and port
  2. If no error is caught, we print “Framework Started Successfully” with the help of the script_color function.
  3. Next is the banner() function which is printed to the screen.
  4. We setup the sockets, bind and listen.
  5. Usually we pass the host as an empty string. If that be the case, we change the host string to “localhost” after we setup the socket
  6. We print “Listening on host address:port number …”
  7. We begin accepting connections.
  8. If all goes well and a client comes through, we enter into the console function passing the connection stream and the host address as an argument.
  9. Should the function exit, we close our socket

That wasn’t difficult right !!!. Moving on.

SCRIPTING: THE CONSOLE FUNCTION

The frustrating part of all but if we can stick together on this one, we are going to sail through. Lets write.



Pretty Long. First, we print a string saying Connection Established from the remote host. We then receive
data from the stream, this data is information about the remote system ( We will deal with that in the client side). We then sort out the data, this is the layout of the data:

System Type
Computer Name ( Node Name )
Release Version
System Version
Machine Architecture
Username

All these information are inherited from the uname() and getlogin() in the os module ( We will get to that on the client side ).

We move on to create a custom prompt name for our shell using the information received, for example, [email protected].

We then enter into our command loop. This loop contains commmands for the connection. We are defining our own custom commands therefore commands such as “ls -l” and other linux commands won’t work.

These are our first 5 ( five ) built in commands.

  1. exec - Accepts a command as an argument and executes the command on the remote host. This is where our everyday linux commands can come to play, for example, exec ls -l
  2. cls - Clears the Terminal screen. Uses the default linux clear command
  3. help - Calls the help function and prints the help text ( We will get there in a moment )
  4. sysinfo - Prints the received remote system information
  5. exit() - Sends a halt command to the remote shell and also exits locally
  6. Any non-specified command is not accepted and an error message will be printed in the else statement

In the inbuilt exec command, should no argument be passed, an error is printed. We have a new function in the exec command which is send_data. It accepts the connection stream and the command to execute. It automatically deals with sending and receiving of the data.

I would rather you write the code as you see it. You can modify it after it works. Modifying during writing can cause alot of problems ( trust me ).

SCRIPTING: THE HELP FUNCTION

All commands built into the framework ( script ) are to be entered here.



This function prints the help_list in a sorted way and also formats the help_list.


SCRIPTING: THE SEND DATA FUNCTION

This function as stated earlier automatically sends and receives the data.



Now, lets tie the knot ( not marriage ).

CALLING EVERYTHING TOGETHER

We know functions don’t execute thems and need callers.



We are partly done. Lets now reflect our changes into the client script.

THE CLIENT SIDE

The client also needs to obey some rules and commands such as the exec command in the server script. Our import statement should change to:

#!/usr/bin/env python
import socket, subprocess as sp, sys, os

Our first function would be the connect function.

THE CONNECT FUNCTION

This function as the name implies connects to the specified address. It also sends the system information after a connection is established.



It then calls the interactive_session function passing the connection stream as an argument.

THE INTERACTIVE SESSION FUNCTION

This function runs a loop accepting and executing commands based on the “if” instructions.



The function uses another function send_data to send the data.

THE SEND DATA FUNCTION

This function calculates the length of the data and sends it along with the data.



This function will be helpful in future modifications. Lets tie the knot.

CALLING EVERYTHING TOGETHER

We write the magic line as the functions won’t execute themselves.



Lets execute our attacker ( server ) script and see what we’ve got

[email protected]:~/Desktop# python reverseTcp.py ‘’ 8000

The client should connect passing the host information on the command line.

[email protected]:~/Desktop# python connect.py 127.0.0.1 8000

Here is a screenshot of the attacker’s server script:



Exploring the help options



From the nmap result on the remote system, I think we opened a port on a registered service. As expected, the client console should be empty because we aren’t printing anything.

LETS END IT - CONCLUSION

I think we have accomplished something in this tutorial.

Corrections, Modifications, Updates are welcome.


(RooT HaXor) #2

Great Tutorial bro !


(Sergeant Sploit) #3

thanks big bro.

Sergeant


(True self is without form) #4

Hi Sergeantsploit.
First of all, I want to thank you for this how to series, I found it really interesting !

However, there is a minor problem in the chapter : SCRIPTING: THE CONSOLE FUNCTION.
In this chapter there is the screenshot of your main control function, instead of the console function.

I wish you all the best, see you soon mate !

  • shutz_c0de

(Sergeant Sploit) #5

Thanks. I will fix it asap. Sorry if I kept you waiting ( Work Stuff: I even forgot my 0x00sec password ).
FIXED.


(True self is without form) #6

No worry mate, it forced me to code my own console() function, which is a good thing.
I’ll check yours, thank’s for the update !


#7

Awesome tutorial! Can’t wait for more.


(SoLux) #8

For printing colors I most of the time switch to Colorama, as it’s multi platform
Going to try to make a color library perhaps soon.
Love the tutorial, very high quality.


#9

Hi there. Very useful tutorial and very helpful. For executing basic commands, as in your print screen, with exec command, this exec command should be coded in connect.py?


(Dimitris Zervas) #10

check out covertutils and RSPET on gihub :slight_smile:


#11

Thanks mate :wink: Highly appreciated. Regards


(Command-Line Ninja) #12

This topic was automatically closed after 19 hours. New replies are no longer allowed.


(system) #13

(oaktree) #14