Metasploit and Reverse Shells
Post credit: Karl Gilbert
Reverse shells have the listener running on the attacker and the target connects to the attacker with a shell.
Reverse shells solve a lot of headaches that bind shells have:
- Reverse shells remove the need for a listener on the target machine, which means we don’t have to leave the target vulnerable to other malicious actors.
- Reverse shells can use popular ports (e.g., 80, 443) which are usually allowed on egress connections from an internal network to an external network, bypassing firewall restrictions.
Types of Reverse Shell
Interactive Reverse shell: During pen tests, we have a non-tty-shell which means, there are certain commands we can’t run. This happens if for example, we upload reverse shells on a web server, so that the shell we get is by the user www-data, or similar. These users are not meant to have shells as they don’t interact with the system as humans do. So, if you don’t have a tty-shell you can’t run su, sudo etc. This can be annoying if you manage to get a root password, but you can’t use it.
- Meterpreter Shell: Meterpreter is a Metasploit Framework shell with features that allows us to run post-exploitation modules and privilege escalation exploits locally on the target once shell is established. It utilizes encrypted communication methods, and all operations happen in-memory, making it a Swiss army knife tool that leaves little to no evidence. Meterpreter offers a ton of other features and is highly extensible, which makes it an excellent addition to any hacker’s arsenal.
- Pseudo Terminal (PTY): It’s Teletype emulated by a computer program running in the user land. The difference with TTY is where the program runs; it’s not a kernel program but one that runs in the user land. The main reason why PTY exists is to facilitate moving the terminal emulation into user land, while keeping the TTY subsystem (session management and line discipline) intact.
The SecPro is a weekly security newsletter to help you stay sharp and upgrade your skills with trending threat insights, practical tutorials, hands-on labs, and useful resources. Build skills in as little as 10 minutes. Join the newsletter here.