This time we will be adding an extra dose of anonymity and privacy to our Python shell, by providing support for proxies. Socks4, Socks5 or HTTP; it’s your choice — got ’em all. The AES encryption (seen previously here) is undoubtedly the strongest factor in this equation, because without it, the proxy server — or anyone in between really — would be able to see all the traffic from point A to point B. The encryption however, shields us from pesky intruders and allows our connection to stay smooth and unblocked by ISP’s along the way.
This module allows for seamless implementation of the proxy (Socks4, Socks5 or HTTP) to developers — as you can read in the main page or in further details in the README section. What this means is that we can continue to use the socket module normally, send and receive data, close connections and whatnot without any modification to the original socket functions.
I could go into details but this module is so straight-forward and simple that the readme page says it all really… all you need is 4 lines of code and that’s it! I do want to point out that upon downloading, you should extract the “socks.py” file to the same folder where you are developing the shell; and whenever you’re ready to compile, you also need to copy the “socks.py” file to the PyInstaller directory too. Don’t worry though, you will still only get a single file (executable) after compiling. 😉
In my opinion, it’s also good practice to understand what is going on behind the curtains, so go ahead and fire up Wireshark to see this spectacle first hand — honestly though, sometimes you can learn so much just from looking at how the packets operate and getting familiar with their behavior. Knowing how they work will also save you a lot of time later when you encounter “unexpected issues” in your network.
The first thing here is that we are using HTTPS to connect from the proxy to the server. Why? Well, HTTPS is a binary protocol and the proxy understands nothing about it. In our case, that’s really good! The main reason being that we already have AES encryption between the client and server and also because 443 has been my port of choice since the beginning of the series. Now this is were we could go HAMsters and wrap the already encrypted traffic with SSL, but I decided it was better not to… the overhead of decrypting the traffic twice, through the proxy would be overkill; but if your paranoid, don’t think twice!
After negotiating the proxy with the client, the first noticeable message we see in Wireshark is:
There you can see the
CONNECT command issued from the client through the proxy. This command will attempt to connect to the server, but only if the hostname is resolved… in which case we will get a
200 OK message, as seen below (click to zoom in):
Finally, we must manually send a request to begin transferring data. The request should be:
GET / HTTP/1.1 for this scenario, you can see the packet below (click to zoom in):
That’s basically it. If you go on further, it wouldn’t be too difficult to write your own module for handling the proxies; but with Dan Haim’s module already supporting several different types of proxies along with authentication and more, makes no sense reinventing the wheel! Big thanks to Dan!
Disable command has been added to the shell as well. This idea was not mine, initially, it came from ToProType with the intention to disable the Windows task manager. I thought it was pretty cool and decided to add it… however, after realizing how much time I waste doing tests I decided to incorporate other options to disable persistence, the service (used to escalate privileges) and the shell overall.
To use the disable command you must be system/authority and invoke it like so:
…and “adieu” task manager! Pretty annoying. Haha
Next, I came to realize that the keylogger doesn’t work very well if it only writes the file AFTER being done. What if the client shuts off his computer? Uh oh… so I recoded it to simply write the file at all times and set the default file name to the current date and time, and also set the time to record for a few days. So now the log is more accurate and downloadable at all times.
Click here to download the client/server source code: [ DOWNLOAD ]
Hit high quality and enjoy the vid! 😉