1
00:00:00,210 --> 00:00:02,440
Hello everybody and welcome back.

2
00:00:02,460 --> 00:00:09,180
And we successfully coded for now a simple message program which sends messages back and forth not just

3
00:00:09,180 --> 00:00:14,310
by simply changing the IP address to bind to an IP address to connect to you can run this on two different

4
00:00:14,400 --> 00:00:21,270
machines on local network or if you do put forward you can run these two programs across the globe.

5
00:00:21,270 --> 00:00:25,140
But right now we are not here to make a simple message program.

6
00:00:25,140 --> 00:00:31,950
We are here to actually make a reverse shell which will run quietly and not be detectable by the target.

7
00:00:31,950 --> 00:00:36,690
So we do not want to prompt the target with the type of message to send to server.

8
00:00:36,750 --> 00:00:43,410
So let's actually make our reverse shell to be able to actually execute this system commands and by

9
00:00:43,410 --> 00:00:44,230
system commands.

10
00:00:44,250 --> 00:00:50,970
I mean the command prompt commands so if we type for example there or something like that we get a list

11
00:00:50,970 --> 00:00:53,220
of all the files in the current directory.

12
00:00:53,310 --> 00:00:58,310
So let's see how we can actually do that.

13
00:00:58,320 --> 00:01:06,180
There is a library in Python called Sub process which allows us to actually execute commands the terminal

14
00:01:06,180 --> 00:01:08,940
commands on the system with the python.

15
00:01:08,940 --> 00:01:11,840
So let's use that library.

16
00:01:12,270 --> 00:01:13,170
Just type here.

17
00:01:13,220 --> 00:01:15,890
Import some process.

18
00:01:16,230 --> 00:01:17,870
I believe that's how you specify it.

19
00:01:17,880 --> 00:01:22,980
If it's not we will have to check it out on the Internet and what we want to do is we want to first

20
00:01:22,980 --> 00:01:24,050
of all delete this.

21
00:01:24,060 --> 00:01:30,540
So if message equals Q that should stay right here so the break and Q stays right here.

22
00:01:30,660 --> 00:01:32,830
This is what goes away.

23
00:01:32,850 --> 00:01:35,640
So we do not want to prompt use or anything.

24
00:01:36,390 --> 00:01:42,400
We do not want to use raw input on the client side or on the reverse Shell side of the code.

25
00:01:42,570 --> 00:01:48,040
What we want to do is basically execute the command that we receive.

26
00:01:48,360 --> 00:01:49,560
So how do we do that.

27
00:01:49,710 --> 00:01:55,860
Well basically we first of all receive the command so we received the command right here.

28
00:01:56,490 --> 00:02:00,660
So let's rename it into the command so you don't get confused.

29
00:02:00,660 --> 00:02:06,300
We do not want to print the command on diversions so delete this as well print message or command delete

30
00:02:06,300 --> 00:02:13,680
that and here delete this ok not send message back.

31
00:02:13,680 --> 00:02:20,010
So right now you should be having only this we only received the command if the command equals Q.

32
00:02:20,070 --> 00:02:21,540
So we have to change that as well.

33
00:02:21,540 --> 00:02:23,700
So not anymore message.

34
00:02:23,730 --> 00:02:29,370
If the command post you know then we break out of the loop else we want.

35
00:02:29,370 --> 00:02:36,120
We want to run a rather long command right now since that is the syntax for this command which allows

36
00:02:36,120 --> 00:02:40,100
us to actually execute a terminal command or a command from comment.

37
00:02:40,620 --> 00:02:43,860
We will call it proc as a process equals.

38
00:02:43,890 --> 00:02:48,270
And now just type what type sub process not be open.

39
00:02:48,270 --> 00:02:56,900
So process open and then we want to run the command which is this that we received and then comma shell

40
00:02:57,000 --> 00:03:04,940
equals true then comma as to the out equals sub process that pipe.

41
00:03:05,280 --> 00:03:14,250
We make sure to type capital type so it doesn't traditionally people work with the small type.

42
00:03:14,250 --> 00:03:15,130
Let us analyze this.

43
00:03:15,160 --> 00:03:17,820
So it all fits.

44
00:03:17,860 --> 00:03:20,440
Let's actually just close this for now.

45
00:03:20,630 --> 00:03:22,280
Well let's analyze this terminal.

46
00:03:22,540 --> 00:03:28,980
So we are only redoing the client right now so else proc equals our process be open.

47
00:03:29,020 --> 00:03:35,470
We run the command that we receive shall equal strew as to the out equals surpasses that pipe.

48
00:03:35,470 --> 00:03:49,180
And then after that as to d e r r as D E R equals s process that pipe as well as standard input also

49
00:03:49,180 --> 00:03:55,020
equals a process that pipe so did the N equals sub process that pipe.

50
00:03:55,180 --> 00:04:00,220
So we want to pipe that process or that result from the command that we received and we will do that

51
00:04:00,280 --> 00:04:01,810
with the result variable.

52
00:04:01,810 --> 00:04:07,240
So we just create a variable called result or call it anything you want I of call it result in my case

53
00:04:07,860 --> 00:04:18,790
and we want to call it proc dot as to d out dot read or not call it we want to add to it plus proc dot

54
00:04:18,850 --> 00:04:20,760
as to the E R dot.

55
00:04:21,760 --> 00:04:29,830
So we want to put both of these outputs of the command that we executed into our result variable and

56
00:04:29,890 --> 00:04:35,000
all we have to do right now is actually send the result back to our target.

57
00:04:35,080 --> 00:04:37,810
We do that with the command that we already use.

58
00:04:37,840 --> 00:04:45,720
So SOC sort about send result and we should be good to go.

59
00:04:46,350 --> 00:04:56,650
So let's see is there anything that we have to change in our server program so this should be it for

60
00:04:56,650 --> 00:04:56,770
you.

61
00:04:56,860 --> 00:05:00,010
This I believe if it is not we will add things necessary.

62
00:05:00,010 --> 00:05:04,250
So control 0 to say enter control X to exit this.

63
00:05:04,410 --> 00:05:12,510
Now let's actually nano this server that P Y let's close it in the other terminal since we do not need

64
00:05:12,510 --> 00:05:15,240
it so let's exit this for a second.

65
00:05:15,460 --> 00:05:19,110
That's only use this terminal for a moment and this is our server.

66
00:05:19,110 --> 00:05:23,970
So right now we send the message which we also want to switch to command.

67
00:05:23,970 --> 00:05:25,230
So we don't get confused.

68
00:05:25,230 --> 00:05:34,530
So command targets send we send to the target command if the command equals Q we'll break out of the

69
00:05:34,530 --> 00:05:44,280
loop and answer which will be the result equals target not receive and then we print the answer.

70
00:05:44,280 --> 00:05:47,040
So this should be good.

71
00:05:47,040 --> 00:05:52,170
I believe so if you switched everything for the command all the messages you switch for the command

72
00:05:52,650 --> 00:05:56,410
and name the answer rename it to results.

73
00:05:56,460 --> 00:06:01,250
So it makes sense if more and print the result Dom pretenders.

74
00:06:01,320 --> 00:06:06,470
Since we don't have the variable answer anymore right now you can control orders this as well.

75
00:06:06,470 --> 00:06:14,140
Control X to exit and we can run the server it is listening for the incoming connections right now let

76
00:06:14,140 --> 00:06:19,620
us open a second terminal enlarge it a little bit two men

77
00:06:23,200 --> 00:06:33,840
let us just make this a little bit more viewable so let's split this into two that's also at this one

78
00:06:33,840 --> 00:06:37,340
here.

79
00:06:38,240 --> 00:06:40,800
OK so this should be good.

80
00:06:40,810 --> 00:06:49,150
Right now let me just switch my directory to where my reverse is and I run the reverse shell.

81
00:06:49,510 --> 00:06:52,890
So we successfully got connection established the server.

82
00:06:53,050 --> 00:07:02,570
And right now what I want to do is first of all modus so we can see both of these terminals and right

83
00:07:02,570 --> 00:07:06,160
now I should be able to execute commands in a terminal.

84
00:07:06,170 --> 00:07:07,570
Let's see how well that work.

85
00:07:07,580 --> 00:07:15,440
If I just type here as we can see that we successfully got back from the other terminal we got back

86
00:07:15,440 --> 00:07:17,800
the contents of that directory.

87
00:07:18,170 --> 00:07:21,560
If I just type here who am I.

88
00:07:21,560 --> 00:07:22,860
I get back through it.

89
00:07:22,880 --> 00:07:24,720
So I am the root user.

90
00:07:25,040 --> 00:07:29,660
If I were to for example type your reboot it would restart my machine.

91
00:07:29,660 --> 00:07:40,430
So we successfully were able to create a program that actually execute the command commands terminal

92
00:07:40,430 --> 00:07:43,910
commands and the command prompt comments on the target machine.

93
00:07:44,480 --> 00:07:49,110
So we successfully created this more simple version of the reverse shell.

94
00:07:49,130 --> 00:07:55,940
This can also be dangerous and it can also be used to change some things on the target machine especially

95
00:07:55,940 --> 00:07:59,810
if they run it as an administrator or as the road user.

96
00:07:59,810 --> 00:08:09,710
So let's see what else we can run TWD Alice minus Ali but you will notice if I for example run out our

97
00:08:09,710 --> 00:08:13,520
code for the IV config OK.

98
00:08:13,530 --> 00:08:22,350
So for this example we get the full output but you will notice that we only specified the received function

99
00:08:22,350 --> 00:08:25,430
to receive 1024 bytes.

100
00:08:25,470 --> 00:08:33,000
But what happens if we actually try to receive more bytes than that that will actually crash our program.

101
00:08:33,000 --> 00:08:44,550
So what we want to do work we want to actually be able to send as much data as we want and receive as

102
00:08:44,550 --> 00:08:45,860
much data as we want.

103
00:08:45,870 --> 00:08:52,250
And we also have to fix some bugs such as this one where I just press enter and don't send anything.

104
00:08:52,320 --> 00:08:57,780
It just bugs out as we can see it is waiting for a reply but our reverse Shell doesn't know what to

105
00:08:57,780 --> 00:09:01,920
reply with since the command that it received was just nothing.

106
00:09:01,920 --> 00:09:06,660
It wasn't anything with just an empty space so it can't execute that command therefore it can't send

107
00:09:06,660 --> 00:09:08,860
the answer back to our server.

108
00:09:08,970 --> 00:09:13,320
Therefore they are both hanging on waiting each other's requests.

109
00:09:13,320 --> 00:09:15,840
So that's something that we also have to fix.

110
00:09:15,840 --> 00:09:22,320
There are many things that need fixing here but this is pretty good for our beginner reverse shell.

111
00:09:22,380 --> 00:09:26,400
Now we have to fix it a little bit at some of the functions here and there.

112
00:09:26,400 --> 00:09:30,980
Fix some bugs and then we can continue adding different options for our reverse shell.

113
00:09:31,200 --> 00:09:33,090
So that would be about it for this video.

114
00:09:33,510 --> 00:09:36,870
I hope you enjoyed it and I hope I see you in the next one by.