A reverse shell is a type of session cyber attackers commonly use to open communication ports between their machines and the victims’. It is also one of the penetration testers’ go-to methods.
A reverse shell, also known as a “connect-back shell,” takes advantage of the target system’s vulnerabilities to initiate a shell session then gain access to the victim’s computer. The goal is to connect to a remote computer and redirect the input and output connections of the target system’s shell so the attacker can access it remotely.
Read More about a “Reverse Shell”
To better understand what a reverse shell is, we need to get to know two concepts first. These are:
- Normal shell session: Typically, a shell session is initiated by the local host like your computer. For instance, when you use Microsoft Windows, the Windows shell provides the start menu, taskbar, and overall desktop environment.
- Bind shell session: The attacker connects to a remote computer and requests a shell session. By granting the request, you are giving him or her access to your desktop. For a bind shell session to succeed, the remote computer has to be directly accessible. This requires a public Internet Protocol (IP) address, and the computer must not use a firewall.
Attackers and penetration testers can easily execute a bind shell, as shown in the image below.
What if the target computer is protected by a firewall or doesn’t have a public IP address? That is where a reverse shell comes in.
How Does a Reverse Shell Works?
Firewalls protect the victim’s network from incoming connections, so its presence discourages bind shell sessions. Instead of directly requesting a shell session, an attacker waits for a victim’s machine to initiate an outgoing connection—hence, it is called a “reverse” shell.
The image below sums this up: The incoming connection from an attacker’s computer is screened and blocked by the victim’s firewall. However, it doesn’t screen outgoing connections.
With the right tool, an attacker can set it up so a victim’s computer itself initiates the outgoing connection. All an attacker has to do is listen for outgoing connections.
Once a shell connection is established, an attacker can get administrator privileges and execute commands directly on a victim’s operating system (OS). Cyber attackers can then freely access a victim’s network.
You may be wondering how a victim’s computer could be set up to connect to a hacker’s system. Such a scenario is possible with the help of a piece of malware installed on a victim’s computer, either from a malicious website or phishing email.
The malware can initiate an outgoing connection to its command center (an attacker’s computer).
Is There a Legitimate Use for a Reverse Shell?
Like any other technology, organizations can use a reverse shell. For one, it can help network administrators access systems remotely when performing maintenance. It removes the need for on-site visits, which is a convenient option during the coronavirus pandemic.
How to Prevent Reverse Shell Connections
From a technical point of view, completely preventing reverse shell connections is not possible. It can be used for legitimate reasons so it comes with a network design. But to prevent malicious reverse shell connections, here are some actionable tips:
- Allow remote access only to and from specific and necessary IP addresses and ports.
- Update web applications regularly to ensure the application of bug fixes.
- Do not open emails from unknown senders.
- Do not click links embedded in or download files attached to suspicious emails.
- Make sure your antivirus software is running and up-to-date.
A reverse shell can be a dangerous weapon. However, we can’t discount the fact that it is also useful for network defense. For instance, penetration testers can test for vulnerabilities in reverse shell connections to make sure weaknesses are addressed immediately.