Jump to content

Anonymous reverse shell


Hackerman

Recommended Posts

Hi,

 I was wondering that when I create a reverse shell malware on a machine, wouldn’t I give away my IP address to the victim? Isn’t it pretty easy for victim to track me using my IP, assuming they are smart enough to find out my malware? Is it possible to get around this?

Link to comment
Share on other sites

Simple way to describe a reverse shell is the victim machine calls out to the attacker machine and passes it a command prompt (shell). Lookup netcat reverse shells.

Now, as far as anonymous.  Most malicious C&Cs which the shell maybe calling back to are on those bullet proof hosts.  But if they are wanting to hide they would use a proxy, another server the shell calls to that will forward the traffic to the real server or through a chain of servers till it arrives at the real server.  This could be a dynamic proxy where the payload has the proxy to use and the server to end at but of course then your real server IP will be in memory with the payload.  The other is a static proxy where no matter what, if you talk to this server it will forward to the other server.  Just keep in mind there is always a trail.  The host company, if in a country where the hosts will work with law enforcement, will have records of the connections.  Of course you could always have one of the proxies have tor so when the traffic comes in, it goes out via tor to your server running in tor.

How to do all of that, as I know that question maybe coming next, you will have to research.

Link to comment
Share on other sites

5 hours ago, PoSHMagiC0de said:

Simple way to describe a reverse shell is the victim machine calls out to the attacker machine and passes it a command prompt (shell). Lookup netcat reverse shells.

Ye. Basically, it says to the hacker "I'm here and ready to go!".

You could have a chain of Python servers but it could still be traced through each one..

 

Link to comment
Share on other sites

Yes, you do have to put an IP in your reverse shell. However, you could buy a server in a country with lax internet laws and send your traffic to that in a screen session, then just ssh into that through tor and you're pretty much untraceable, as long as they can't trace the money you've spent. There are ways to remain anonymous when doing these kind of attacks, but for most pentesting jobs, a raspberry pi running a server is pretty much golden, since you're on contract with the company and don't need to remain anonymous. You'd use the same technique (seriously, look into screen), and the setup would be pretty much identical. 

Link to comment
Share on other sites

This is a question I have pondered too. I think there must be a clever way of doing this? I wondered about an anonymous proxy as a relay or the use of tor? I guess another compromised server might be the best anon solution in theory?

Link to comment
Share on other sites

Thanks for your replies!

Reverse shell anonymity sounds pretty complicated, so is there another way to take control of victims machine that could be more anonymous than reverse shell? For example is it possible to set victims machine as “server” and then connect to it through tor or VPN? Does anyone have any idea?

Link to comment
Share on other sites

How about using Domain Fronting?

10 hours ago, Hackerman said:

Thanks for your replies!

Reverse shell anonymity sounds pretty complicated, so is there another way to take control of victims machine that could be more anonymous than reverse shell? For example is it possible to set victims machine as “server” and then connect to it through tor or VPN? Does anyone have any idea?

You can connect your C&C Server to a VPN with port forwarding and then let the shell connec to that port on the vpn side which will then be forwarded to your C&C... in theory.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...