Understanding reverse shells
Shell Game
Firewalls block shell access from outside the network. But what if the shell is launched from the inside?
Recently, I've thoroughly enjoyed brushing up my offensive security skills. I've worked in the defensive security field for longer than I care to remember, and gaining more insight into how attackers perceive the world has really opened my eyes. My background is two-and-half decades of Linux and securing containers over the last seven years or so. An area that always piques my interest is Linux-based local privilege escalation. Once you have found a way of gaining access to a machine, the Holy Grail is elevating your privileges to the root user so you have full control.
Sometimes achieving root can take a little time. As an attacker, it is important to be able to return at a later date if you haven't achieved root user privileges yet or you want to monitor changeable data on a machine. Penetration testers and attackers would call this ongoing access persistence, which is the ability to gain a foothold and then maintain access; you might also call it creating a backdoor.
Attackers have a multitude of ways for ensuring that, if a machine reboots or some other event occurs, a backdoor is re-established automatically. This article looks at reverse shells and provides some examples of how to achieve persistence once you have gained access to a Linux machine. It should go without saying that you should use the following information for testing, practicing, and improving your knowledge and not for some nefarious purpose.
Backwards and Forwards
Two popular types of remote access for an attacker are reverse shells and bind shells. A bind shell (sometimes called a forward shell) is where a target machine (the machine under attack) can be accessed remotely by the attacker over the network. For purposes of this article, a bind shell is presented over a network port in a way that an attacker can connect back into the target machine. Bind shells are less common because they require firewalling to be in a more malleable state for the attacker. A number of security controls might be stopping inbound traffic on a server (upstream firewalling with specifically whitelisted IP ranges and various types of inbound traffic being blocked, for example).
A reverse shell, on the other hand, is where the target machine (the one suffering the attack) phones home to an IP address that the attacker controls. In most firewall configurations, outbound traffic is much more open. Often, any process on a machine that initiates network connections is permitted to do so by default. This avoids the need to worry about firewalling between the target machine and the attacker (unless very strict iptables are configured, for example).
Bash It into Shape
The target machine is the computer suffering the attack. The target can be any kind of networkable device, of course, but it is usually a server. Bear the terminology in mind because things can get pretty confusing when other machines are involved and you're reversing the direction of traffic from a target.
I will start with an example from the best shell on the market, Bash. I have an Ubuntu Linux laptop that I will call the "attacking" machine and my "target" machine is a Debian Linux server on AWS (an EC2 instance). The variety of Linux doesn't matter at all in my examples (and as Ubuntu Linux is a Debian derivative, you could swap the roles around without changing any of the command syntax). The straightforward Bash commands that follow should work with most distributions without any changes, although the package installation details might vary.
I'll start by installing the undisputed heavyweight champion of reverse shells, netcat, on the attacking machine (my laptop) so I can listen for the target machine phoning home. On the attacking machine, I will start by creating what's called a listener to catch the reverse shell connection when the target machine phones home.
There are a number of varieties of netcat, mainly for legacy reasons. (I discuss these reasons in my book Linux Server Security: Hack and Defend [1] if you're interested.) Listing 1 shows the results of searching the Ubuntu package lists for the word "netcat."
Listing 1
netcat Package Search
ncat/jammy-updates 7.91+dfsg1+really7.80+dfsg1-2ubuntu0.1 amd64 NMAP netcat reimplementation netcat/jammy,jammy 1.218-4ubuntu1 all TCP/IP swiss army knife -- transitional package netcat-openbsd/jammy,now 1.218-4ubuntu1 amd64 [installed,automatic] TCP/IP swiss army knife netcat-traditional/jammy 1.10-47 amd64 TCP/IP swiss army knife
As you can see in Listing 1, Ubuntu users have four flavors of netcat to choose from. If your attacking machine doesn't have netcat built-in already and it is a Debian derivative:
$ apt install netcat
I prefer to trust the Nmap project's version where possible (named ncat). According to the Nmap website [2], "Ncat is a feature-packed networking utility that reads and writes data across networks from the command line. Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat."
To install ncat, use the following command on Debian derivatives:
$ apt install ncat
Setting Up the Shell
Now that the listener software is in place, I am ready to set up a reverse shell. The first step is to look up my laptop's IP public address. My favorite way to look up an IP address is using the curl
command.
The ifconfig.io website is an excellent tool for discovering your publicly presented IP address via curl
. You can also get lots of detailed information about your current networking information. The following command dutifully reports back my laptop's public IP address (via a VPN which you may need to switch off initially while testing):
$ curl ifconfig.io 217.XXX.XXX.XXX
The next step is to fine-tune any firewalling on the attacking machine. I use the excellent Gufw Linux firewall [3] that is included in Ubuntu (Figure 1). Look in the Report column (the tab is shown in Figure 1) for useful information about exposed ports. You can even create rules from listening ports in the Report column, making light work of tricky configurations.
The red text in Figure 1 shows a list of four inbound traffic rules that punch a hole in my laptop's firewall. I've opened these inbound ports: 4444, 4445, 8888, and 8889. I tend to use a couple of ports at once and like to have a spare one or two so these choices make sense for my needs.
Note: If you're using NAT to get to the Internet (which you most likely are from both home and the office), you will need a port forwarding rule on your router to get traffic forwarded to TCP Port 8888 in the examples.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.