Python Reverse Shell

reverseshell
networking
malware
python

#1

Hello 0x00 sec :smiley:
I have developed a reverse shell in python that controls victims shell , upload files from his computer and stream his desktop to me. I have tested it on mu local network and it is to great extent satisfying. I have some questions starting from this point in order to finish it.
1- How to use outside my LAN ?I tried writing my public IP in the code and a port number but the client didn’t connect.
Some where talking about port mapping but I don’t understand what should I supposed to do :smiley:

2- in case of port mapping , should also the client ( which not is the victim ) do the same ? ( logically not and I hope I am right :smiley: )

3- Suppose the connection happened, can the victim - if he noticed - determine my ip ?- using wireshark or whatever?- what can he do if he knew :smiley:

4- Is there a way to conceal or hide my real ip while the session ? I thought of using VPN but the problem how the client will listen while he don’t know my IP -which is changing every time -

5- A side question : what is the difference if this reverse shell is using TCP or SSH ? which is better for me and why

I hope to find answers to those 5 questions in details and thanks in advance :smiley:


#2

1- How to use outside my LAN ?I tried writing my public IP in the code and a port number but the client didn’t connect.

You’ll need to forward the port, that you specified when you created the shell, back from your router to your localhost; this is, of course, assuming you’re sitting behind a router running a NAT config.

2- in case of port mapping , should also the client ( which not is the victim ) do the same ? ( logically not and I hope I am right :smiley: )

Again, the attacker will need to do to network port forwarding fuckery in order to receive the connection. Assuming the victim is not behind a network that has strict egress rules, it should be alright on their end.

3- Suppose the connection happened, can the victim - if he noticed - determine my ip ?- using wireshark or whatever?- what can he do if he knew :smiley:

If you are not doing anything to obfuscate your IP (i.e. using an already compromised host as the C2, using an anonymized VPS, etc.) then yes, they will be able to determine your IP by simply observing their netstat information (Though it varies based on OS of the victim and what their preferred network admin tools are).

4- Is there a way to conceal or hide my real ip while the session ? I thought of using VPN but the problem how the client will listen while he don’t know my IP -which is changing every time -

There are many ways, it just depends on how anonymous and crafty you would like to get. You could use a VPN in addition to TOR but, again, it really depends on how you’re C2 infrastructure is configured.


#3

I didn’t get this part, could you explain more? and how this solves problem that the client doesn’t exactly know servers ip each time?


(Franck0s) #4

Hello !How about using Ngrok to use it outside your LAN ?


(eryani) #5

you can setup your own DNS :wink:


(Command-Line Ninja) #6

If you really want to create something, that will traverse across NAT’s, and be very difficult to trace the origin unless you’re one of the 3 letter agencies, then use Tor Hidden Service’s.

What you’ll need to do, is set up a tor hidden service as your listener (on the attacker side), and then modify your malware to include a tor binary with it. How you deploy this is dependent on how deep you’re trying to get.

Wannacry actually downloaded the binary from the C2 and unpacked it on the disk. Personally, I think it’s much cooler to do this all from within the payload, although very difficult in reality.


(Command-Line Ninja) #7

Man. That is an idea. Do they require any particular details to register? To anybody wondering what ngrok is, It’s really cool

EDIT: I just installed this, signed up, and ran it through tor, and you can 100% tunnel this over tor, without giving away any details except your email address. I wonder how they handle abuse reports? Since these tunnels have the potential to do a LOT. Serving up payloads? Check. Reverse shells? Check. The only thing you lose is the persistent IP and port, which is kind of important for a C2 (unless you pay, which is going to leave a paper trail).


(Not a N00b, but still learning) #8

The idea itself sounds pretty dope. However, i think you have to make sure you don’t hit the connection limit of 40 connections / minute.
Even cooler: It’s open source


(Command-Line Ninja) #9

Oh, dude, this is crazy. Spin one of these up on a bulletproof host? Make the host a tor exit node. Sell ngrok access with monero.

Profit. ALTHOUGH. I don’t want to go to jail, so I think I’ll hold off.


(Not a N00b, but still learning) #10

Theoretically speaking: Is it even illegal? Of course you would score a nice position on the FBI watchlist, but are you responsible for the actions of your „users“ if you shut down their accounts after you get a federal request? :wink:


#11

I appreciate your help guys :smiley: so I hope you go some deeper with me as it is my first time to build such evil things :smiley:

1- As far as I got, Ngrok will make me bypass NAT and some how I got its basic idea
Now , what to do ? suppose I have the shell now working and tested but using port-mapping now what are the steps from here?

2- You issued something that I was really searching about but no guide , which is extracting tor from within my code, Do you have anything to guide me on this?
My idea is that the code installs some sort of light-tor deamon process only to direct the socket connections to my server or hidden onion

and thanks all for help :smiley:


(system) #12

This topic was automatically closed after 30 days. New replies are no longer allowed.


Ngrok over TOR proxy.... What should I do?