Reverse Shells

Reverse Shells 

When discussing reverse shells, we should first cover what a shell is. A shell allows a user to interact with an operating system, the applications on the computer, and every function that is allowed for that user. A remote shell allows a user to perform actions on a device across the network. A remote shell works by delivering a payload to the victim. The victims machine then listens for the attackers incoming connection. When the attacker connects, they now have a remote shell. 

A Reverse Shell works in the opposite direction. A victim’s machine is infected with a malicious payload, but the victim initiates the traffic this time, not the attacker. The attacker will have a listener setup on their device, waiting for the victim’s traffic to connect to their computer. 

Reverse shells can be used to evade firewall rules. Take a scenario, where all incoming traffic is blocked by default. Port 80 is allowed out of the firewall. A typical remote shell will not make it through the firewall because of the direction of the initiated traffic, but a reverse shell will be allowed by the outbound port 80 rule (if the attacker chooses that port).