This content demonstrates how to build a remote access trojan (RAT) or reverse shell that operates entirely through Discord, allowing for command execution and file system interaction on a target Windows machine.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
This is a remote access to a RAT or a
reverse shell which works entirely
through Discord. Check this out. Here I
have the target Windows machine and here
I have a Discord server with a channel
with the name of the IP of this machine.
This entire text channel can be used to
remotely control the Windows machine. If
I type who am I, as you can see the bot
returns the command output. There we
have the current working directory. I
can go back directories and I can even
list files. As you can see, these are
the exact files on the desktop. Oh, and
a reminder, this is Discord. You can
literally invite your friends to the
server and remote control computer
together in this text channel. How cool
is that? By the end of this video,
you'll know exactly how to set this up.
But make sure to watch till the end for
something interesting. And by the way,
this is obviously for educational
purposes only. If you plan to do bad
things, just click off now. Thank you.
Okay, first let's set up a Discord bot.
Open a browser, search for Discord
developer portal [music]
and just go to applications here. [music]
[music]
Login. Now hit new application. Name it
something. Agree here and hit [music] create.
create.
Now go to bot. Scroll down here and
check this one and save changes. Now go
to OOTH. Scroll down, select bot. Scroll
down, select send messages and [music]
manage channels. Scroll down and copy
this link and invite the bot to your
server. You just need to paste it in
your browser. Let me create a new server
for this. By the way, this is the
Heptasc Discord community. Feel free to
join, but I'll add a server. Create my
own and name it rat test.
Okay. And I'll invite to this one. There
it is. and click authorize.
Now the bot is in our server. Now go to
bot again, scroll down and hit reset
token [music] and copy this. But keep in
mind this is a secret so don't show it
to others. Now I'm going to create a
folder for our project.
I'm going to open it and we'll open
Visual Studio Code here.
I'll create a new file called it bot.py.
And for now, I'll just keep the token
here. Now, let's get our bot running
with a hello world answer first, and
then we'll get to writing the reverse
shell. Let's import Discord.
Now, let's create our Discord bot
client. And now, let's set up an event
handler for a new message. This function
is going to execute every time a new
message is sent somewhere in the server.
And the message is also passed as a
parameter here. So, we have access to
it. First of all, let's do if message
dot author dobbot. So if the message
author is the bot, let's return this.
Just says if the bot send the message,
don't do anything cuz otherwise the bot
would get in an infinite loop where it
responds to itself to its own messages.
Okay. And now let's do a test. If
message dot content is equal to hello,
let's send back hello world. [music]
And finally, let's do client run and
pass in our token. This basically starts
the bot. Okay, let's save and let's open
a terminal.
Of course, you need to make sure you
have Python installed. If you don't, it
will pop up when you type in Python and
just follow the steps and install it.
[music] But now, let's create a new
virtual environment.
Hit yes here. Now, let's do ven scripts.
Let's do activate.ps1.
Okay, let's do powershell-
ep bypass. And now activate. Okay, let's
This just installs the discord package
which we are using here.
And there we go. It stopped being
underlined. Here I have discord as well.
So we can see both. And let's do pythonbot.py.
Okay, as you can see, our bot is now
online. And let's do hello.
Okay, great. Our bot is able to reply.
If I hit Ctrl + C and stop this process,
the bot goes offline. Okay, I'm now back
to our IDE and let's now make it a
reverse shell. Let's define another
event handler. The ready event fires
when the Discord bot first launches, and
it fires once. So, this event handler is
going to run once when the bot is
started. In it, let's define a variable
for the channel. This is going to be the
channel which we will use to write the
commands and where the bot will send
back the results of the commands. Now,
one thing we need to do is we need to
find an object for our server. If your
bot is only in one server just like ours
is, you can retrieve an object of your
server or your guild like this. We are
accessing the array of guilt and because
our bot is only in one, it's going to be
the first element with index zero. Now
we need to come up with a name for the
channel. I think a very suitable name
would be the IP address of the computer
which connected. Now we can grab the
public IP by simply sending a get
request to this address. Obviously I'm
going to have this blurred out but this
is your public IP. So what we can do is
import requests and let's set the IP
equal to requests.get
and let's send a get request to this address.
address.
And also because the IP is separated by
dots and discord channels cannot have
dots in them. Let's replace the dots
with dashes because Discord channels can
have dashes in their name. Okay. And now
let's create the channel.
We are creating a text channel and here
we are passing the name of the channel
which is going to be the IP. Now because
I don't want to deal with having to blur
my IP all over the place, I'm going to
just set the name of the channel or the
IP to some placeholder IP address. Let's
Let's make sure to have requests
installed also.
And let's do a test. Python bond.py Pi.
And as you can see, as the bot spawns,
it creates this text channel. Perfect.
Let's remove it and stop our bot. What
we need next is a PowerShell session
which we can send our commands to and
rely on it to return the output of the
commands back to us. Here is how we are
going to do that. Of course, let's
import subprocess.
And we are spawning a new PowerShell
session. And we are also making sure to
not create a window. So, it is a hidden
PowerShell. Usually if we open
PowerShell we would have this window but
we don't want it here. So that's what
this is for. Okay. Now let's define a
function to execute a command.
Now here we are going to use a very
similar idea as the one shown in our
antivirus bypass video. So if you can't
really understand this, I would suggest
going back to this video and watching it
as well. Basically we're going to have a
marker and we are going to wrap our
command in this try catch block. Now all
this is for is to catch errors. So for
example, if we were in PowerShell and we
were to enter a command that would
return an error, all this does is it
just captures this error. So it is also
returned to the user. And now we'll just
write this command in this wrapper to
the standard in pipe of the PowerShell
session that we created. Again, if that
is not clear, just go watch the other
video. And now we need to return the
output. We're going to be iterating the
standard outpipe and we are going to be
appending it to this array. And finally,
we'll just return it. And of course,
we're going to know when our command
ended by looking for this marker and
breaking. That's explained in the other
video. Now, let's test our bot. Does
this work so far? Instead of sending
hello world, let's just send execute
cmd. And let's execute, for example, who
am I? And let's do one last thing. This
event handler here executes when a
message is sent to every single channel.
So let's make sure that we're responding
only if we are in that specific channel
that we created earlier which is saved
right here in this global variable. So
let's do if the channel doesn't exist or
the channel where this message exists
isn't the same as the ID of the channel
that we created earlier then we return.
If the channel isn't this channel we
don't do anything. That's it. Okay,
let's save and let's try [music]
let's do Python bot.py.
Our channel got created. So let's try
sending hello here again. We got no
answer. That's a good sign. Now let's go
here. Let's enter something. Nothing is
returned. Now let's enter hello. If you
remember on entering hello, we should
receive the output of the who am I command.
command.
And there we go. That is indeed the
current user. I'll stop the bot. If we
do who am I, that's the same output
right here. Okay, we are very very
close. Instead of sending only this
command, let's just execute the command
that was the message itself. So let's do
result is equal to execute cmd. And here
we will pass message content. That's the
text that we sent in the channel. And
let's send it. One special case that we
need to handle is what happens if the
command doesn't return any output. For
example, if we do a command like cd dot,
as you can see, there is no output. So,
let's make sure with an or. This or will
mean if this is an empty string, then do
this. So, if it is an empty string,
let's make it executed message.content
message.content
with no output. Okay, let's save and
test it.
Oh, well, the bot doesn't clean up for
itself so far. So let's delete both of
these channels and let's run it again.
So if I do ID or who am I? Okay,
something is not right here. Oh yeah,
well we still have this condition that
we the message needs to be hello. So
yeah, I forgot to remove that. So let's
make sure that this condition doesn't
exist because we wouldn't be able to use
our thing otherwise.
Okay, let's save. Let's stop the bot and
rerun it. This is the new channel. So
let's try ID now. And we get the error.
Let's try who am I? Nice. Now let's try
using it for a bit. For example, let's
go back. Let's list directories and
let's try reading this text file. As you
can see, it's quite big.
Now, as you can see, this here is a bit
of a problem. Our message can't be
longer than 4,000 characters. So, we
need to think of a way around this.
Otherwise, we won't be able to get the
output of commands that are 4,000
characters or longer. So, let's do the
following. We'll set up an infinite loop
and we'll send only the first 2,000
characters of the result. Obviously, if
it is less than 2,000 characters, we're
going to send all characters. And once
we've sent the first 2,00 length check
of our result. If the length of the
result is less than 2,000, let's break
out of the infinite loop. So, what this
is saying is if the message was less
than 2,000 characters, we don't need to
loop at all. We just send it as usual.
In this case, this loop wouldn't even
matter. If the message was shorter than
2,000 characters, it would be the same
as just doing what we had done earlier.
However, let's handle a case where the
message is more than 2,000 characters.
In that case, what we can do is cut out
the first 2,000 characters of the
message and repeat the whole thing. So,
let's do result is equal to the result
but with the first 2,000 characters
removed. So, how this works now, if our
message was 3,000 characters long, we
would send the first 2,000. We will
check if the length of the result is
less than 2,000. In this case, it
wouldn't be. It is 3,000. So, we don't
break, but instead we remove the first
2,000 characters, but we already send
them, so that's fine. And because this
is a loop, we then come back here. And
now the message has 1,000 characters. We
send the first 2,000 out and that's
basically the whole thing. Then we check
whether the length of the result is less
than 2,000 and now it is only 1,000. So
now we hit this break. We no longer need
to cut the message in chunks of 2,000
because it is already less than 2,000.
And when we hit the break, we exit the
loop and the transmission of the message
is complete. Obviously, if it was
50,000, this would just repeat a lot of
times until it sends the whole thing.
Hopefully, that makes sense. Now, let's
save and let's test. Let's remove our
channels here that are no longer used.
And let's do Python bot.py.
There is our text channel. Let's do who
am I. Okay, good. Let's do cd dot.
We are now on the desktop. If you
remember, here is where this long file
was. So, let's do cut haha.ext.
haha.ext.
And now, as you can see, the whole thing
gets printed in batches. It just sends
the messages 2,000 characters by 2,000
characters by 2,000 characters until it
finishes. That's a way to bypass the
restriction. Okay. Well, we can add a
lot of features to this bot if we wanted
to, but I'd say this is enough features.
If you want to feel free to add more.
Now, let's create an executable file out
of this script. The executable file is
going to be the final payload, which
when you give it to someone and they run
it, you have access to their computer
from Discord. So let's do pip install pi installer.
Now let's do pi installer d- version.
This makes sure it is installed
successfully. If you see a version, it
probably is. And now let's do pi
installer d-1 file d-no console. And the
script is going to be bot.py.
Once the build is complete, you can find
your executable file in the directory.
Let's find it in file explorer.
Here it is. Let's copy it. Let's close
this. Let's put it here on the desktop.
You can obviously change the icon if you
wanted to. I'll leave that to you. You
can research how Pi Installer works. But
now, let's test it. By the way, Defender
is running. As you can see, all security
settings are on. And let's run this.
As you can see, nothing pops up on the
victim computer. There is no trace of
something going on. But if you open this
channel and do who am I, you can see we
have remote control. Let's do cd dot
list files. Okay, that's home. Let's go
to desktop.
Let's do echo subscribe into subscribe.ext
and there is a text file. Now let me
switch over to my column machine to show
you something interesting. I have
transferred the file we just generated
over here on my Kali. If we run file on
it, as you can see, it is a Windows
executable. We already know that. What
I'll do now is I will download a script
that extracts the byte code from the
executable. And I will run it on bot.exe.
As you can see, it created this
directory where the bite code is extracted.
extracted.
Now I will run this grab command which
grabs this reax which is a reax for
discord tokens.
And as you can see it finds something.
If you open this file with the text editor.
editor.
Well maybe not with this one. Let's do
let's open it with VS code.
As you can see we have some strings here
like discord token but other than that
we have the actual Discord token right
here. If you rewind the video back, it
is actually exactly this string. So,
what is the takeaway from here? Well, if
you send someone who knows what they're
doing, this executable file, they could
probably extract the Discord token and
take over your bot. Now, let me leave
you with something to think about. What
would be a way to create the same
bot.exe file with similar functionality,
but keep the Discord token completely
safe? I want to hear your ideas. Leave
them down in the comments below or over
on Discord. If you are in the mood for
learning more ethical hacking, I
strongly recommend the AV evasion video
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
