Home » Articles » Comprehensive Guide to Backdoors
Click Here To Hide Tor

Comprehensive Guide to Backdoors

When I was learning this, I was disappointed with internet guides for setting up remote access, aka backdoor to a computer so here’s my contribution. Also, it’s important for security and privacy concerned people to understand this because these methods are often used maliciously to gain control over target computer.

In this article, I’m going to cover theory and practice behind binding TCP shells and reverse TCP shells. After that I will briefly touch upon their advanced versions – secure shells (SSH) and reverse secure shells.

Theory

Transmission Control Protocol (TCP) is a way to transfer data from one IP address to another. It’s used to transfer the command to the remote computer as well as the command output back to the command and control computer. In TCP connections, one side has to listen for a connection and the other side has to connect.

There are 2 ways to get a shell on remote machine:

  1. Remote machine listens for a connection. There has to be a process on the remote machine that waits for a connection and executes a shell once the connection is established.
  2. Remote machine connects to us. This one goes the other way around – local command and control machine has to listen for a connection and remote machine has to ‘send’ a shell to the listener.

Which one is better? Of course, it depends on the circumstances, otherwise one wouldn’t be mentioned. Each paragraph explains corresponding row in the table below.

At a first glance, option #1 seems superior because we can connect to remote computer anytime, instantly. When using reverse shell, persistent backdoors try to connect to the control computer periodically, so we usually have to wait.

By default, firewall blocks all connections to the machine. To allow connections to the listener process, firewall must open that port. Firewall only works for incoming connection, it has no restrictions on outgoing connections so by choosing option #1 or option #2, you’re also choosing which computer’s firewall you need to configure. This is why hackers prefer reverse shells – it’s easier to configure their than victim’s firewall.

When using TCP connection, each side’s router assigns a unique port to a specific computer in local area network. That’s how the router knows which packet should be sent to what computer in LAN. If we try to connect to our listener on remote machine (option #1) without configuring the router to forward our connection to the exact computer and exact process, the router will refuse connection because it doesn’t know where to send the packet. By choosing option #1 or option #2, you’re also choosing which router needs to be configured to port forward the connection. Obviously, hackers prefer to configure their router, rather than their victim’s.

Hopefully, you can answer the question yourself after reading this. Here’s the summary:

Option #1 – Bind TCP shell to a port Option #2 – Reverse TCP shell
Instant Connection YES NO
Firewall Must be configured or turned off on remote machine Must be configured or turned off on control machine
Port Forwarding Must be configured on remote machine’s router Must be configured on local machine’s router

If you don’t know where is your computer going to be, reverse shell is the way to go because you can always configure the firewall and port forwarding on your location. If you can configure the firewall and port forwarding on the remote side beforehand, you might want to enjoy the instant access.

Hands-on guide

I’m going to use netcat for demonstration because it’s available for Linux (featured here), Windows and Mac computers. It’s also the most simple and straightforward way to go. If you need to execute either of these without netcat, you can use Metasploit to generate a program for desired system.

Option #1 – Normal Shell

We need to bind a shell to a port and wait for a connection. Executing this on remote machine will do it:

 

Now, we need to connect to that listener from out local machine. I’m connecting to my own computer for the demo purposes so I use 127.0.0.1 as IP address. You should replace it with target’s public IP address.

 

Option #2 – Reverse Shell

As previously discussed, we need to listen for a connection on our local, command and control computer:

 

Now, the remote computer has to send a shell by executing this (replace 127.0.0.1 with public IP that belongs to your command and control computer):

 

…result:

Endnote

Keep in mind that these backdoors’ connection is in plain text and without any authentication. That’s why there are secure shell (SSH) and reverse secure shell that works the same way, but using encryption and password authentication with it.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Captcha: *