Python Reverse TCP: simple reverse tcp backdoor

Nalyd 10天前 31

Python Reverse TCP Shell

ywang189 – Yiyi Wang

cjsmith7 – Christian Smith

Multiple files are provided


- malicious python code, run it on victim side.

- can be packed into “exe” file using pyinstaller and run on Windows with no antivirus software detected (tested on Windows8.1, not detected)

- On windows, run pyinstaller —noconsole —onefile to pack the malicious to Windows executable file.

2. listener.js

- simple listener wrote in javascript(node.js)

- Commands: 

-- help

-- exit — quit listener

-- list — list victims

-- connect num — connect to one victim

-- eg ‘connect 0’ will connect to the first victim in victim list

-- schedule n_minutes — schedule attack(for Windows only), force victim to try to connect to the attacker every n_minutes

- schtasks_template.xml(for Windows hack only)

-- sample template for schtasks program on Windows

-- eg: when scheduling a malicious task from the schtasks_template.xml on Windows, run the following command

schtasks /CREATE /XML path_to_schtasks_template.xml /TN malicious_task_name

- dist/reverse_tcp.exe

-- packed exe file using pyinstaller mentioned above.

-- don’t run this file on your machine, it is dangerous(as it will connect to my attack machine at ip

- cleanup.bat (for Windows)

-- remove our simple stupid trojan from victim’s system

-- double click it to clean up.

How to Hack (For Windows)

- Edit the variable attacker_ip in to attacker’s ip address

- Run pyinstaller –noconsole –onefile to create reverse_tcp.exe

- Copy reverse_tcp.exe to victim’s machine and execute it. (No console will pop up so don’t worry)

- Run node listener.js on attacker’s machine to start listening to responses from victims.

How to Hack (For .nix)

- Edit the variable attacker_ip in to attacker’s ip address

- Copy to victim’s machine and run python

- Run node listener.js to start listening to responses from victims.

General descriptions

- On attacker side, execute node listener.js to run the listener file on attacker’s machine.

- Plant and execute on the victim machine. (SE, camouflage py file as part of package, etc)

How it works(For Windows)

- The file will first copy itself to %Appdata% folder, then create schtasks_template.xml file for scheduling tasks

- It then runs schtasks program and set up the running task so that the victim will try connecting to the attacker every 30 minutes by default.

- After that, the victim will try to connect to attacker’s ip and port.

- The attacker will send commands to the victim, and the victim will execute those commands on their machine.

Why implementing Reverse TCP attack in Python

We first tried Metasploit and used the windows/shell_reverse_tcp payload to generate the malicious exe file and we also tried msfencode to encode the exe file. However, no matter how we encoded the malicious exe file, Windows Defender could always detect it(It is interesting to find out that some 3rd party av couldn’t detect our trojan). After doing some researchers, we found out that Windows Defender will always load the program to memory first then scan it, so encoding will never work.



最后于 10天前 被Nalyd编辑 ,原因:
最新回復 (0)