Hacking with Reverse shell

What is a shell?

Shells can be easily described as code or programs that can be used to obtain code or command execution on devices such as servers or mobile phones.

Shell type

1. Reverse Shell
2. Bind Shell

Reverse Shell

The reverse shell is a type of housing where the target machine returns to the attacker. An attacker receives a connection and has a listener port implemented by executing code or command.

                                      Figure 1: Reverse TCP shell

Bind Shell

The binding shell is a type of shell in which the target machine opens a communication port or listener on the target machine and waits for an incoming connection. After that, the attacker connects to the listener of the victim machine and runs the code or command on the server.

                                     Figure 2: Binding TCP shell

There are several common shell files. Reverse TCP Meterpreter, C99 PHP Web shell, JSP Web shell, Netcat and so on. One common thing between these shells is to communicate with the TCP protocol.

Through TCP / Shell communication occurred filtering and firewall protection, it is impossible to imagine communication from the server and not connect any listening port (backward and TCP connection).

Figure 3: Firewall blocks bind & reverse connection

However, in many environments, you can send and receive ping requests. Ping requests operate with the ICMP protocol. ICMP stands for Internet Control Message Protocol and is used by network device queries and error messages. Because ICMP is not used to transfer data between network devices, it is different from the widely used TCP and UDP protocols. When the device tests the connection with another device, the device sends an ECHO REQUEST using the PING tool (ICMP communication) and waits for an ECHO response. The following figure shows PING response request-response communication that occurs between two network devices.

When ping echo request and response are displayed, you can confirm that network device A (10.0.0.7) sends a ping echo request. The ICMP message contains 48 bytes of data. Network device B (10.0.0.8) responds with a ping echo reply with the same 48 bytes of data. Please refer to the following:

As you can see, the packet does not include source port number and destination port number, such as TCP header format or UDP header format. Therefore, echo request - response traffic is made between network devices, but not on a specific port. In the above description, we could not expect ICMP communication to connect between the victim and the two devices that use the custom agent running on the attacker. The client ICMP agent listens for ICMP packets from a specific host and executes the command using the data in the message. The server ICMP agent sends an ICMP message, connects to the victim running the custom ICMP agent, and sends the command execution.