Anonymous reverse shell

[Hackerman]

Hi,

 I was wondering that when I create a reverse shell malware on a machine, wouldn’t I give away my IP address to the victim? Isn’t it pretty easy for victim to track me using my IP, assuming they are smart enough to find out my malware? Is it possible to get around this?

[Forkish]

i don’t even know what a reverse shell works but I assume you would bounce your connection off of different systems obfuscating your true IP…?

[PoSHMagiC0de]

Simple way to describe a reverse shell is the victim machine calls out to the attacker machine and passes it a command prompt (shell). Lookup netcat reverse shells.

Now, as far as anonymous.  Most malicious C&Cs which the shell maybe calling back to are on those bullet proof hosts.  But if they are wanting to hide they would use a proxy, another server the shell calls to that will forward the traffic to the real server or through a chain of servers till it arrives at the real server.  This could be a dynamic proxy where the payload has the proxy to use and the server to end at but of course then your real server IP will be in memory with the payload.  The other is a static proxy where no matter what, if you talk to this server it will forward to the other server.  Just keep in mind there is always a trail.  The host company, if in a country where the hosts will work with law enforcement, will have records of the connections.  Of course you could always have one of the proxies have tor so when the traffic comes in, it goes out via tor to your server running in tor.

How to do all of that, as I know that question maybe coming next, you will have to research.

[Dave-ee Jones]

5 hours ago, PoSHMagiC0de said:

Simple way to describe a reverse shell is the victim machine calls out to the attacker machine and passes it a command prompt (shell). Lookup netcat reverse shells.

Ye. Basically, it says to the hacker "I'm here and ready to go!".

You could have a chain of Python servers but it could still be traced through each one..

 

[thoregem]

Yes, you do have to put an IP in your reverse shell. However, you could buy a server in a country with lax internet laws and send your traffic to that in a screen session, then just ssh into that through tor and you're pretty much untraceable, as long as they can't trace the money you've spent. There are ways to remain anonymous when doing these kind of attacks, but for most pentesting jobs, a raspberry pi running a server is pretty much golden, since you're on contract with the company and don't need to remain anonymous. You'd use the same technique (seriously, look into screen), and the setup would be pretty much identical. 

[J1m]

This is a question I have pondered too. I think there must be a clever way of doing this? I wondered about an anonymous proxy as a relay or the use of tor? I guess another compromised server might be the best anon solution in theory?

[Hackerman]

Thanks for your replies!

Reverse shell anonymity sounds pretty complicated, so is there another way to take control of victims machine that could be more anonymous than reverse shell? For example is it possible to set victims machine as “server” and then connect to it through tor or VPN? Does anyone have any idea?

[ThoughtfulDev]

How about using Domain Fronting?

10 hours ago, Hackerman said:

Thanks for your replies!

Reverse shell anonymity sounds pretty complicated, so is there another way to take control of victims machine that could be more anonymous than reverse shell? For example is it possible to set victims machine as “server” and then connect to it through tor or VPN? Does anyone have any idea?

You can connect your C&C Server to a VPN with port forwarding and then let the shell connec to that port on the vpn side which will then be forwarded to your C&C... in theory.