Most of the tutorials in this series require an intermediate-level understanding of the C/C++ programming languages.
You may also like to read: What is Malware Development: Quick Guide
Malware Development Tricks and Techniques
Reverse Shells - This is a very important thing in malware development.
Note: Convert your virtual machine Network ( Linux and Windows ) from NAT to a Bridged Adapter.
What is Reverse Shell?
A reverse shell, often called a connect-back shell, is a remote shell introduced from the target by connecting back to the attacker machine and spawning a target shell on the attacker machine. It is usually used during the exploitation process to gain control of the remote machine.
Reverse shells are a common tactic employed by red teamers and pen-testers when facing firewall restrictions on inbound connections. By utilizing outbound ports such as 80, 443, or 8080, they can bypass these restrictions. However, it’s crucial to note that this approach exposes the attacker’s control server, making it susceptible to detection by network security monitoring services.
The process typically involves three steps.
First, the attacker exploits a vulnerability in the target system or network, granting them the ability to execute code. Next, they set up a listener on their own machine. Finally, they inject a reverse shell into the vulnerable system to exploit the vulnerability.
It’s important to recognize another potential risk: in real cyber attacks, reverse shells can also be obtained through social engineering tactics. For instance, malware distributed via phishing emails or malicious websites can initiate outgoing connections to a command server, providing hackers with reverse shell capabilities.
In summary, while reverse shells offer a workaround for firewall restrictions, they come with inherent risks, including exposure to detection and exploitation through social engineering tactics.
The purpose of this post is not to exploit a vulnerability in the target host or network but to find a vulnerability that can be leveraged to execute code.
The reverse shell will be different depending on which system is installed on the victim and what services are running there. It may be PHP, Python, Java, etc.
Listener
For simplicity, in this example, the victim allows outgoing connection on any port (default iptables firewall rule). In our case, we use 4444 as a listener port. You can change it to your preferred port you like. The listener could be any program/utility that can open TCP/UDP connections or sockets. In most cases, I like to use nc or Netcat utility.
In this case, The -l flag tells Netcat to listen for incoming connections, the -v flag enables verbose output, the -n flag prevents DNS resolution, and the -p flag specifies the port number.
Run Reverse Shell(Examples)
Again for simplicity, in our examples target is a Linux machine.
run:
where 192.168.1.15 is your attacker’s machine IP and 4444 is listening to port.
Here, we successfully obtained the reverse shell.
- netcat without -e: A Newer Linux machine by default has traditional netcat with GAPING_SECURITY_HOLE disabled, which means you don’t have the -e option of netcat.
In this case, in the victim machine run:
Here, I’ve first created a named pipe (AKA FIFO) called p using the mkfifo command. The mkfifo command will create things in the file system, and here use it as a “backpipe” that is of type p, which is a named pipe. This FIFO will be used to shuttle data back to our shell’s input. I created my back pipe in /tmp because pretty much any account is allowed to write there.
- bash: This will not work on old Debian-based Linux distributions.
run:
- python: To create a semi-interactive shell using python.
run:
I hope you understand the importance and concept of a reverse shell. It’s very important in the context of Malware Development.
