Jump to content

[Question] Is there any reverse shell that can pass through Network?


Recommended Posts

If you know of any ports which are open, then yes. Run a port sniffer script on it first which emails the nmap result to you and then set the corresponding port. If the network is configured properly then its SAPs should be stealthed, but sometimes you can get lucky. SAPs between the 5000 - 5100 range can be vulnerable as they are often left open for Passive FTP.

Like any network, all you need is a clear SAP path from node to node, it just requires a bit more digging to find it.

EDIT: Either that, or if you have access to the network's router, you can add your own NAT signitures, or even designate the vic's device as the network's DMZ.

RE-EDIT: The easiest way to do it is set up a remote SSH site which listens on port 80 and forwards it on to you at which ever port you want. You can then send the Reverse Shell to the SSH server using the default HTTP port. The main difficulty with this though, is that it can cause a lot of noticable traffic on the victim's network. If it's a strong network, the packets will be monitored and although they won't be able to be intercepted or read at all, the endpoint will be known. Running processes through SAP80 can set alarm bells off on the network and is not highly recomended, but it is a quick and dirty way of doing it.

Edited by ApacheTech
Link to comment
Share on other sites

All depends on the router (& firewall policies).


  1. how is the payload getting introduced?
  2. do you have prior knowledge on security policies (eg firewalls, proxies)?

A reverse shells purpose, is for leaving the network and hitting a publicly accessible IP, depending on the number of obstacles in the way.

Link to comment
Share on other sites

You only need to patch a port on the reverse side's router as the victim is connecting OUT of their network. This is considered 'normal' behavior more or less. Obviously IDS, certain advanced firewalls and the sort could be problematic but I get the feeling that this is a simple situation. You can have a reverse shell connect through a standard protocol (HTTP), making it less obvious that anything nefarious is happening. More details would be helpful.

Link to comment
Share on other sites

  • 1 month later...

Any easy thought is can these PC's access the internet behind the routers and firewall? If so just run a secure reverse shell over 443. Some IDS will look at the tcp stream and see the amount of traffic as anomalous but most will see encrypted traffic and ignore it.

I agree, you could also use the DNS port 53 if I'm not mistaken.

The disadvantage with the port 53 is it will likely trigger the IDS but I guess it could work on home network.

Edited by sierrabrav0
Link to comment
Share on other sites

I haven't had any problems with ~Persistence, though it all depends on the network. below is a link to the persistence payload. You can also use the simple-ducky which will generate the payload, setup your webserver, move nc.exe to your web directory and launch a listener for you. All you would have to do is register a no-ip.org page and forward ports 80 and 443 to your attacking machine. And i would assume this would only be used on a legitimate pentest?!?!

Best of luck


Edited by skysploit
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...