Fully Responsive Remote Access Shell

A Report submitted

by

Saurav Rawat(170111004)
Manish Kanyal(170111019)
Ayush Khugshal(170111048)
Shashank Barthwal(170111024)

Under the Guidance of

Mr. Ajay Singh
IBM FACULTY
CSE Department

In partial fulfilment of the requirements for the Degree of

BACHELOR OF TECHNOLOGY
in
COMPUTER SCIENCE & ENGINEERING,
DIT UNIVERSITY, DEHRADUN
(State Private University through State Legislature Act No. 10 of 2013 of Uttarakhand and approved by UGC)

Mussoorie Diversion Road, Dehradun, Uttarakhand - 248009, India.

 CANDIDATE/S DECLARATION

I hereby certify that the work, which is being presented in the report/ project report, entitled
Fully Responsive Remote Access Shell, in partial fulfillment of the requirement for the award
of the Degree of Bachelor of Technology and submitted to the university is an authentic record
of my/our own work carried out during the period August-2019 to November-2019 under the
supervision of Mr. Ajay Singh.

Date: 21-09-2019 Signature of the Candidate

This is to certify that the above statement made by the candidate is correct to the best of my /our
knowledge.

Date: 21-09-2019 Signature(s) of the Supervisor (s)

 Abstract
To gain control over a compromised system, an attacker usually aims to gain

interactive shell access for arbitrary command execution. With such access, they

can try to elevate their privileges to obtain full control of the operating system.

However, most systems are behind firewalls and direct remote shell connections

are impossible. One of the methods used to circumvent this limitation is a

reverse shell. In a typical remote system access scenario, the user is the client

and the target machine is the server. The user initiates a remote shell connection

and the target system listens for such connections. With a reverse shell, the roles

are opposite. It is the target machine that initiates the connection to the user, and

the user’s computer listens for incoming connections on a specified port. The

primary reason why reverse shells are often used by attackers is the way that

most firewalls are configured. Attacked servers usually allow connections only

on specific ports. For example, a dedicated web server will only accept

connections on ports 80 and 443. This means that there is no possibility to

establish a shell listener on the attacked server. On the other hand, firewalls

usually do not limit outgoing connections at all. Therefore, an attacker may

establish a server on their own machine and create a reverse connection. All that

the attacker needs is a machine that has a public (routable) IP address and a tool

such as netcat to create the listener and bind shell access to it. A typical reverse

shell is obtained using a malicious payload. The payload finds its way into the

attacked machine in a variety of ways. Once the malicious payload has been

executed it attempts to connect to its server (pre-configured into the payload).

Once connection has been established the attacker with access to the server can

execute commands via the reverse shell that has been created. Therefore, a

common characteristic of reverse shell attacks is the remote connection which

yields some sort of communication. Moreover, each command and response

4
 should result in some sort of communication side-effect alongside it.

ACKNOWLEDGEMENT

First and foremost, praises and thanks to the God, the Almighty, for His showers
of blessings throughout my project to complete project successfully.
I would like to express my deep and sincere gratitude to my mentor, Mr. Ajay
Singh IBM faculty for giving me the opportunity to do this project and providing
invaluable guidance throughout this project. His dynamism, vision, sincerity and
motivation have deeply inspired me. He has taught me the methodology to carry
out the project work and to present the project works as clearly as possible. It
was a great privilege and honor to work and study under her guidance. I am
extremely grateful for what she has offered me. I would also like to thank her for
his friendship, empathy, and great sense of humor. I am extending my heartfelt
thanks to her colleagues for their acceptance and patience during the discussion I
had with him on project work and my problems.
I am extremely grateful to my parents for their love, prayers, caring and
sacrifices for educating and preparing me for my future.

5
 TABLE OF
CONTENTS
Title Page
No.

CANDIDATES DECLARATION………………………………………….
…i
ABSTRACT .............................................................................................................
....ii
ACKNOWLEDGEMENT…………………………………………………………
….iii LIST OF
TABLES.........................................................................................................iv
LIST OF
FIGURES.......................................................................................................vi

Introduction ..............................................................................................................1

CHAPTER 1 Introduction to Modules

1.1 Socket

Module……………………………………………………………………2

1.1.2. Functions used from socket

module…………………………………………….3

1.2 Argparse
Module…………………………………………………………………..4

1.3 Wget
Module……………………………………………………………………….5

1.4 Sys
Module…………………………………………………………………………6

1.5 Subprocess
Module…………………………………………………………………7

6
 1.6 http-
server………………………………………………………………………….8

1.7 Os
Module…………………………………………………………………………..9

1.8 Time
Module……………………………………………………………………….11

CHAPTER 2 Project Description

2.1 Setting communication parameter……………………………………12

2.2 Establishing Communication ………………………………………13

2.3 communication with remote hosts………………………………………….14

2.4 Parsing received commands………………………………………………16

2.5 Functionality providing methods…………………………………………18

2.6 Communication codes……………………………………………………….20.

2.7 Uitity Function…………………………………………………………….21

2.8 Argument and Options……………………………………………………….22

CHAPTER 3 SYSTEM REQUIREMENTS

3.1 External Interface
Requirement.......................................................................24
3.1.1 Hardware interface………………………………………………… 24
3.1.2 Software Interface…………. ............................................................ 24

7
CHAPTER 4 CONCLUSION AND FUTURE WORK

4.1 Conclusions .................................................................................................25

4.2 Scope for Future Work ................................................................................25

REFERENCES ……………………………………………………..……………26

Introduction

In this world of technology, People prefer to work or do activities while sitting on the
other corner of the world. People around the world, specially developers are being
connected and working together with each other. Remote administration is being
used widely by every professional individual or group.

Remote Access provides ease in Remote Assistance to a client or any technology

user. All operating systems, specially Linux and Unix are armed with plenty of
Remote Access clients that can be used for Remote Assistance. Some of them are :
SSH, NETCAT etc. So many tools are present, but all of them lack some functionalities
like easy Download and easy Upload feature.
In normal shell connections, users need to tell the other end to upload files
somewhere and then give them the download link to download it. The other manual
way was to manually turn on the server and server the files to be downloaded my
other end.
This is the feature that is automated in this project. User don’t need to worry about
implementation of upload/download feature. All they need to know is two magical
words “download” and “upload”. Users can trigger these functionalities with ease.
Also, user can immediately switch to shell mode that will open an interactive shell
access to the system.

8
This idea has been taken from the meterpreter shell of metasploit tool in linux. The
audience of this project is two types of people who want ease in system assistance
and penetration testers.

Penetration testing may consist of getting into remote system and transferring
sensitive files/exploits. To do that, one needs to utilize resources like netcat, wget,
powershell, ftp, smb etc. This project automates this process and uses the python
libraries to perform the same functions that the binaries provides hence making it
independent of the tools.

CHAPTER 1
Introduction To Modules
1. Socket module: This module provides access to the BSD socket interface.
The socket() function returns a socket object whose methods implement the various
socket system calls. Parameter types are somewhat higher-level than in the C
interface: as with read() and write() operations on Python files, buffer allocation on
receive operations is automatic, and buffer length is implicit on send operations.

9
Socket programming is a way of connecting two nodes on a network to communicate
with each other. One socket(node) listens on a particular port at an IP, while other
socket reaches out to the other to form a connection. Server forms the listener socket
while client reaches out to the server.
They are the real backbones behind web browsing. In simpler terms there is a server
and a client.

1.2. Functions used from socket module.

This project makes use of the socket module of python3. The socket module is
imported so that the following necessary functions can be used:

socket(): This function is used to create a socket through python. A socket is

necessary to communicate with other end. Infact, Communication is not possible
without creating a socket.

10
bind(): A socket with no properties is useless. That's why we need to bind the socket
to a specific IP address and specific port to listen on. And that is done using this
function

listen(): After binding the socket to specific IP address and port number, It's time to
listen for connections from different clients. And the connections are listened on the
ports using this function

accept(): Once we start getting connections from remote clients, it's time to accept
them and interact with them. This is what the accept() does. It accepts connections
from clients and stores their necessary information like socket file descriptor, IP
address etc

recv(): recv() is used to receive the textual data received from the client and store it in
a variable. After that, the response from the server can be easily printed on the screen
using the print() function in python

connect(): connect() is a socket system call used for establishing a connection to

remote system. The connect() function accepts a tuple of remote IP address and port
number as argument to function.

2. Argparse module: The argparse module makes it easy to write user-

friendly command-line interfaces. The program defines what arguments it requires,
and argparse will figure out how to parse those out of sys.argv. The argparse module
also automatically generates help and usage messages and issues errors when users
give the program invalid arguments. Python argparse module is the preferred way to
parse command line arguments. Parsing command-line arguments is a very common
task, which Python scripts do and behave according to the passed values.

11
We will try to establish our need for argparse module by looking at a simple example
of using sys module.

Positional arguments are always treated as Strings, unless you tell Python not to.

Python argparse positional arguments

12
Python argparse positional arguments default values

Positional arguments Data Type

13
3. wget module : GNU Wget is a free utility for non-interactive download of
files from the Web. It supports HTTP, HTTPS, and FTP protocols, as well as retrieval
through HTTP proxies.

Wget is non-interactive, meaning that it can work in the background, while the user is
not logged on. This allows you to start a retrieval and disconnect from the system,
letting Wget finish the work. By contrast, most of the Web browsers require constant
user’s presence, which can be a great hindrance when transferring a lot of data.

Wget can follow links in HTML, XHTML, and CSS pages, to create local versions of
remote web sites, fully recreating the directory structure of the original site. This is
sometimes referred to as “recursive downloading.” While doing that, Wget respects
the Robot Exclusion Standard (/robots.txt). Wget can be instructed to convert the links
in downloaded files to point at the local files, for offline viewing.

File name wildcard matching and recursive mirroring of directories are available
when retrieving via FTP. Wget can read the time-stamp information given by both
HTTP and FTP servers, and store it locally. Thus Wget can see if the remote file has
changed since last retrieval, and automatically retrieve the new version if it has. This
makes Wget suitable for mirroring of FTP sites, as well as home pages.

Wget has been designed for robustness over slow or unstable network connections; if
a download fails due to a network problem, it will keep retrying until the whole file
has been retrieved. If the server supports regetting, it will instruct the server to
continue the download from where it left off.

Wget supports proxy servers, which can lighten the network load, speed up retrieval
and provide access behind firewalls. Wget uses the passive FTP downloading by
default.

4. sys module: Like all the other modules, the sys module has to be imported with
the import statement, i.e import sys. This module provides access to some variables
used or maintained by the interpreter and to functions that interact strongly with the
interpreter.

4.1 sys.argv: The list of command line arguments passed to a Python script. argv[0] is
the script name (it is operating system dependent whether this is a full pathname or
not). If the command was executed using the -c command line option to the
interpreter, argv[0] is set to the string '-c'. If no script name was passed to the Python
interpreter, argv[0] is the empty string.

4.2 sys.byteorder: An indicator of the native byte order. This will have the value 'big'
on big-endian (most-significant byte first) platforms, and 'little' on little-endian (least-
significant byte first) platforms.

14
4.3 sys.builtin_module_names: A tuple of strings giving the names of all modules
that are compiled into this Python interpreter. (This information is not available in any
other way — modules.keys() only lists the imported modules.)

4.4 sys.current_frames(): Return a dictionary mapping each thread’s identifier to the

topmost stack frame currently active in that thread at the time the function is called.
Note that functions in the traceback module can build the call stack given such a
frame.

4.5 sys.exc_info():This function returns a tuple of three values that give information
about the exception that is currently being handled. The information returned is
specific both to the current thread and to the current stack frame. If the current stack
frame is not handling an exception, the information is taken from the calling stack
frame, or its caller, and so on until a stack frame is found that is handling an
exception. Here, “handling an exception” is defined as “executing or having executed
an except clause.” For any stack frame, only information about the most recently
handled exception is accessible.

5. subprocess module: The subprocess module allows you to spawn new

processes, connect to their input/output/error pipes, and obtain their return codes. This
module intends to replace several older modules and functions.

5.1 subprocess.call: Run the command described by args. Wait for command to
complete, then return the returncode attribute.

The full function signature is largely the same as that of the popen constructor, except
that stdout is not permitted as it is used internally. All other supplied arguments are
passed directly through to the popen constructor.

5.2 subprocess.check_output: If the return code was non-zero it raises a

CalledProcessError. The CalledProcessError object will have the return code in the
returncode attribute and any output in the output attribute.

The full function signature is largely the same as that of the popen constructor, except
that stdout is not permitted as it is used internally. All other supplied arguments are
passed directly through to the popen constructor.

15
5.3 subprocess.check_call: Run command with arguments. Wait for command to
complete. If the return code was zero then return, otherwise raise
CalledProcessError.The CalledProcessError object will have the return code in the
returncode attribute.

5.4 subprocess.PIPE: Special value that can be used as the stdin, stdout or stderr
argument to Popen and indicates that a pipe to the standard stream should be opened.

5.5 subprocess.STDOUT: Special value that can be used as the stderr argument to
Popen and indicates that standard error should go into the same handle as standard
output.

6. http-server: The http-server is a simple, zero-configuration command-line http

server. It is powerful enough for production usage, but it's simple and hackable
enough to be used for testing, local development, and learning.

6.1 http.server.HTTPServer: This class builds on the TcpServer class by storing the
server address as instance variables named server_name and server_port. The server is
accessible by the handler, typically through the handler’s server instance variable.

6.2 http.server.ThreadingHTTPServer: This class is identical to HTTPServer but

uses threads to handle requests by using the ThreadingMixIn. This is useful to handle
web browsers pre-opening sockets, on which HTTPServer would wait indefinitely.

6.3 http.server.BaseHTTPRequestHandler: This class is used to handle the HTTP

requests that arrive at the server. By itself, it cannot respond to any actual HTTP
requests; it must be subclassed to handle each request method (e.g. GET or POST).
BaseHTTPRequestHandler provides a number of class and instance variables, and
methods for use by subclasses.

This class is used to handle the HTTP requests that arrive at the server. By itself, it
cannot respond to any actual HTTP requests; it must be subclassed to handle each
request method (e.g. GET or POST). BaseHTTPRequestHandler provides a number
of class and instance variables, and methods for use by subclasses.

16
7. Os module : The Os module in python provides a way of using operating
system dependent functionality. The functions that the Os module provides allows
you to interface with the underlying operating system that module is running on – be
that Windows, Mac or Linux.The OS module in python provides functions for
interacting with the operating system. OS, comes under Python’s standard utility
modules. This module provides a portable way of using operating system dependent
functionality. The *os* and *os.path* modules include many functions to interact
with the file system.

some functions in OS module:

7.1 os.name: This function gives the name of the operating system dependent
module imported. The following names have currently been registered: ‘posix’, ‘nt’,
‘os2’, ‘ce’, ‘java’ and ‘riscos’

7.2 os.getcwd(): Function os.getcwd(), returns the Current Working Directory(CWD)

of the file used to execute the code, can vary from system to system.

7.3 os.error: All functions in this module raise OSError in the case of invalid or
inaccessible file names and paths, or other arguments that have the correct type, but
are not accepted by the operating system. os.error is an alias for built-in OSError
exception.

8. Time module : Python has a module named time to handle time-related tasks.
To use functions defined in the module. Python has defined a module, “time” which
allows us to handle various operations regarding time, its conversions and
representations, which find its use in various applications in life. The beginning of
time is started measuring from 1 January, 12:00 am, 1970 and this very time is
termed as “epoch” in Python.

8.1 Other functions used in project:

8.1.1 sys.exit(): sys.exit() is a function defined in sys module which is used
for the termination of the code.

17
 8.1.2 printUsage(): printUsage() is a user defined function for displaying the
correct usage of the program to the user in case the initial arguments given
by user are invalid.

8.1.3 errorExit(): errorExit() is another user defined function being used for
doing two operations i.e. first, closing the socket and then terminating the
program. This is used either when the user tries to terminate the
connection or when an internal problem occurs.

CHAPTER 2
Project Description
1. Setting communication parameters:
The very first part of the project is to establish communication with the remote host.
But even before that, we need to specify the communication or connection type
parameter for further proceedings.

There are two types of connections:

1.1 Reverse Connection:

A reverse shell is a type of shell in which the target machine communicates back to
the attacking machine. The attacking machine has a listener port on which it receives
the connection, which by using, code or command execution is achieved.

1.2 Bind Connection:

Bind shell is a type of shell in which the target machine opens up a communication
port or a listener on the victim machine and waits for an incoming connection. The

18
 attacker then connects to the victim machine’s listener which then leads to code or
command execution on the server.

The part of code which sets up these parameters and routes the control flow
according to connection type parameter looks like this:

Here, if the user wishes to have a reverse connection, control flow will direct to
connection_REVERSE.

And if the user wishes to have a bind connection, control flow will direct to the
function named connection_BIND.

As can be seen, the connection_* function accepts IP address and port of

remote/local host.

19
2. Establishing communication:
The following are the definitions of connection_* functions.

2.1 connection_REVERSE(ADDRESS , PORT):

2.2 connection_BIND(ADDRESS , PORT):

In case of reverse connection, a socket object is created and is connected to the

remote socket. In any case of failure, an informative message is displayed and
program exits. If everything runs well, debug output can be printed by specifying the
debug flag.

20
In case of bind connection, a socket object is being created for communication with
remote host and the system is listening on specified port for connections(maximum
5).

Both of these functions return a tuple consisting of a socket object pointing to

remote socket and the IP address of remote host.

3. Communicating with remote host:

As now the communication is established, it’s time to communicate with the
remote host. communication between both the systems takes place
with the help of communication codes.

It receives some code/command from the remote system and passes it to the
function named parse_comand().

The definition of this function looks like this:

Now let’s see how the parse_command() is working.

4. Parsing received commands:

The part of code or method that does command parsing is the main key control
function of this code that invokes the required modules/binaries for providing
features. It receives the commands and calls the right procedure.

The code of the parse_command() looks like this:

21
Here, as you can see in the above function, the parse_command method receives
three arguments i.e command string, remote socket for communication with remote
host , and the IP address of remote system.

Then it checks if the command to switch features. If the command starts with the
word “upload”, it will call another function named download_remote_file(). The
download function is called on giving upload command because we are triggering
the remote system to download our uploaded file on their system.

Similarly, if the command starts with the string “download” , It will trigger the
http_file_upload_server to start the file server on remote system.

5. Functionality providing methods:

Now let’s talk about the main functions that provide functionality(upload and
download feature) to the project.

There are two separate user defined methods being used for upload and download
feature named http_file_upload_server() and download_remote_file().

5.1 http_file_upload_server():

This is a user defined function which is used for starting file server so that other end
can download files from the system. This is triggered on the system when remote
system issues “download” command.

This function works by executing a shell command to invoke http.server module of

python 3 to start an HTTP file server.

The communication between the client and server systems takes place with the help
of codes which are listed below:

22
6. Communication codes:
__FILE_UPLOAD_SUCCESSFUL : File uploaded successfully
__FILE_UPLOAD_ERROR : Error occurred while uploading file
__HTTP_SERVER_STARTED : HTTP server has been started
__FILE_DOWNLOAD_COMPLETE : File download has been completed
__FAILED_HTTP_SERVER : HTTP server has was failed
__FILE_NOT_FOUND : File is not found on the system

The function body of the http_file_upload_server looks like this:

As can be seen in code, the server is started by executing the command python3 –m
http.server. This execution call is made using Popen() function of subprocess module
because it is a non-blocking function that doesn’t hangs until completed. It runs
commands as independent processes.

If the HTTP server starts successfully, __HTTP_SERVER_STARTED will be sent to the

remote system to tell that further proceedings can be done.

If some error arises during this whole process, the respective communication code is
returned to the the other end to have control on situation.

23
Once the process is successful, the server process is killed using subprocess.kill()
function.

6.1 download_remote_file():
This is a user defined function that is used for downloading files from the remote
system.

After the http.server is spawned successfully on the remote system, the

download_remote_file() function invokes download() function from wget module of
python.

The part of code looks like this:

As can be seen in the above code, the function accepts three arguments, second and
third are the socket object and IP of the address while the first one is the name of
the file needed to be downloaded. After successful concatenation of the URL strings,
a request is made to the remote server for file download.

If the process is successful, __FILE_UPLOAD_SUCCESSFUL communication code is

returned to the remote server to kill it.

If error occurs during the process, like the requested file does not exist on the
remote system, __FILE_UPLOAD_ERROR is sent to the remote server to tell them to
kill the process and the program exits.

24
 7. Basic utility function:
There are 4 user defined methods being used here for basic purposes. Those are
listed below:

The fatal() is used in case of a fatal error. When it is triggered, program exits after
displaying the information related to the error.

25
print_debug() is just a printing function which is used only when the user has set the
verbose/debug flag for detailed output.

failed() function is used when the error occurred does not require killing the whole
program.

send_to_remote_system() is used for sending information/communication codes to

remote system. This is done for providing better readability to the program.

8. Arguments and options:

For parsing the arguments, argparse module is being used in the program. The part
of code that deals and handles arguments/options passed to the program looks like
this:

The valid options are:

--ip : For specifying IP

--port : Fore specifying port
--debug : For toggling debug/verbose mode
--bind : For using bind shell
--reverse : For using reverse connection

Output:

26
 CHAPTER 3
SYSTEM REQUIREMENT

1 Facilities Required For Proposed Work (Minimum)

1.1 Software Requirement:

Windows XP

Front End: Python IDE(Anaconda, PyCharm)

Back End: Python3 Interpreter

27
1.2 Hardware Requirement:
Processer: 1GHZ

RAM: 512MB

Disk Space: 20MB free space

Reference & Bibliography

* www.Python.org

* www.pythonspot.com

* simplilearn

* GeeksforGeeks

* www.kaggle.com

* JUSTIN SEITZ, “Black Hat Python”, 2th Edition, NO STARCH PRESS,

2015

* Pentester Academy , “ Python for Pentester ”

28
 Conclusion and future work

In this project of Responsive remote access, we were successfully able to automate

the downloading feature and establish flawless communication between the two
ends using communication codes and commands.

The options/arguments used were successful in control in handling every situation in

the project. All the procedures were working fine when tested.

However, many of the functionalities aren’t implemented yet due to some technical
difficulties. Those will be added in future. Apart from that , efficiency will be
increased of the code after doing some major changes in the current
implementation.

29