Security, Programming, Pentesting
by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}
Recently I was reading through Metasploit Unleashed at Offensive Security and they were talking about setting up a backdoor using netcat as a reverse shell. After showing how to setup the backdoor they said that you should not use netcat in a pentest because there is no authentication or encryption. So I asked around on the #metasploit IRC channel to see what should be used instead. I received a few suggestions but was finally told people often use their own tool. So I thought I would write a quick python script to act as a reverse shell and include authentication and encryption. I would then convert it to an executable and load it on a victim machine.
What I want to build is a program that will make an outbound connection to a server, start up an interactive session with cmd.exe, and execute the commands I send it. I also need all communication to be encrypted. Since I wanted to convert this to an executable, I didn't want to use large python modules for fear they would increase the executable size. I also like things to be as simple as possible (I'm a little slow.)
I had no idea how difficult this would be. What I needed was a way to open the cmd.exe process and pass in input and receive the output. Python has an excellent subprocess module that allows you to do this but all of the examples I found only allowed you to send one command and receive its output before terminating the process. Internet research and a quick discussion on #python lead me to pexpect, which looks like an excellent module but was overkill for what I wanted. After a few more hours of research I finally stumbled upon this little gem of code. This was exactly what I needed.
This also turned out to be more difficult than I expected. I quickly found two python modules specifically for encryption, PyCrypto and M2Crypto. After looking at both of them I again felt like they were overkill for what I wanted. Again, Google search persistence paid off and I found a pure python implementation of Blowfish written by Michael Gilfix, which he called blowfish.py. This was perfect except his implementation doesn't encrypt strings of arbitrary length. So, I wrote a wrapper script called BlockCipher.py that would take in a string, add padding and then encrypt it. I also made it generic enough that I can add other algorithms later if I choose.
Well I'm still working on this part. Once I get it all together I will put up another entry. I hope to finish this in the next couple of weeks so keep checking back.
tags: encryption - metasploit - Offensive Security - python