Post on 22-Nov-2014
description
Spawning Reverse ShellSpawning Reverse ShellAnytime With Any IP !Anytime With Any IP !
Bhaumik MerchantBhaumik Merchant
Author And Speaker at….
Objectives
• Reverse shell basics• Advance reverse shell method• Dynamic DNS concepts• Demo
Let’s Consider One Scenario To Understand Reverse Shell Attack……
• Jack works in a corporate environment which is protected by IPSs , IDSs , Firewalls etc.
• He plans for an attack , and decides to plant reverse shell , because few security mechanisms permit some amount of out bound traffic.
• He wants to spawn the shell from his office machine to home machine after 6 p.m, i.e. once he reaches his home.
• Jack wants one live system which is up and going, plus a handler running on it at his place, to receive the shell.
• Jack must know the IP address of his home machine before planting the shell in the office machine.
Then what is the roadblock for Jack?
• Jack’s home machine should be working during the office hours with the handler listening on some port to get the shell .
• Jack should know the IP address of his home machine before planting the shell into office machine.
• But if he is using PPP or DHCP mechanism then IP address will change for each connect and disconnect. (ISPs allocates Dynamic IP to home users, e.g. Home Routers , Internet Dongles)
What Is The Original Problem In Following The Formal Way To Spawn Reverse-Shell?
• Your Place• Your Time• Your IP
#include < reverse-shell.h>
One• Handler started in the attacker machine.
Two
• Payload transfer phase from attacker to victim machine.
Three• Reverse Shell or msf payload injected in the victim’s
machine.
Four• Attacker get’s victim’s bash/cmd (Attack !! )
Formal Way To Spawn The Reverse Shell !
Attacker
Handler Started In The Attacker’s Machine
Inject Shell Into The Victim’s Machine
Handler Gets The Reverse Shell
Game Over !
Formal Flow Of Reverse-Shell - IAttacker
Start Handler
If Handler Is Started ?
Wait For Reverse-Shell
Get Reverse-Shell
Game Over !
Yes
No
Dynamic Flow Of Reverse-Shell - IIAttacker
Start Handler
If Handler Is Started ?
Wait For Reverse-Shell
Get Reverse-Shell
Game Over !
Yes
YesHandler started or may not have started but still you can plant reverse shell
Base Level Mechanism (Diagram)
EXE - I
EXE - II
EXE-I :- Existence check for attacker , whether online or offline
EXE-I I :- Transfer reverse shell to attacker machine, Any Payload.
Synchronous Execution
So How It Works (I) ?
Attacker Machine Listening For Reverse Shell
Victim’s Machine Sends Some Packets To Check
The Existence Of Attacker
EXE – I In Execution
A
V
So How It Works (II) ?
Attacker Machine Listening For Reverse Shell
Victim’s Machine Sends Some Packets To Check
The Existence Of Attacker
Execution Of EXE – I Completed !
A
V
So How It Works (III) ?
Attacker Machine Listening For Reverse Shell
Victim’s Machine Sends Some Packets To Check
The Existence Of Attacker
Execution Of EXE – II Started N Game Over !
A
V
#include < my-method.h>
Dynamic Flow Of Reverse-Shell - IIAttacker
Start Handler
If Handler Is Stared ?
Wait For Reverse-Shell
Get Reverse-Shell
Game Over !
Yes
YesHandler is started or may not have been started but still you can plant reverse shell
While(true){
if( icmp reply from hh2012.dynamic-update.com){
break;}
}
Void Reverse_Shell_Transfer(){
Transfer Reverse Shell;}
How To Program it ?
Captured DNS Request Made By Normal Browser
Captured DNS Request Made By Our EXE In Live Attack
Let’s Get Our Hands Dirty !
#include < demo.h>
Backdoor.security@gmail.comBhaumik.merchant@indusface.com
Thank You