A reverse shell attack is a type of cyberattack where a threat actor establishes a connection from a target machine (the victim's) to their machine.
Wiz Experts Team
6 minutes read
What is reverse shell?
A reverse shell attack is a type of cyberattack where a threat actor establishes a connection from a target machine (the victim's) to their machine. Reverse shell attacks are often executed via TCP and, in rare cases, ICMP or UDP. The goal of a reverse shell attack is to provide the attacker with unauthorized remote access to redirect outgoing connections from the network of the remote host (the victim).
With control of a victim’s machine and communications, the attacker can steal or modify data, inject malware, or further escalate their access within the victim's network. The stakes are high: Public disclosure of the attack can lead to loss of customer trust, negative media attention, diminished brand reputation, regulatory fines, and revenue loss.
Let’s explore reverse shell attacks in greater detail and then discuss proactive measures you can take to protect your organization.
Reverse shell attacks exploit command injection vulnerabilities. They occur in three phases: connection initiation, reverse shell, and command injection. Here’s how it works:
Attackers compromise target systems by remote code execution that exploits system vulnerabilities—e.g., port forwarding and open ports. Because firewall rules are easier to bypass on open ports, attackers can gain access through ports such as port 80 or 443, which are often open by default.
Next, attackers deploy a payload that establishes a connection from the victim's machine to a remote machine. The attacker’s remote systems listen and accept the request, allowing them administrative access to exploit victims’ systems. Since the connection is outgoing, security mechanisms that detect only incoming connections can be bypassed. (This is an important difference between reverse shell and bind shell. Unlike reverse shell, bind shell may be easier to discover, as the connection is initiated by the attacker's system.)
To maintain persistent access, attackers bypass network filtering through port forwarding. Attackers may also use proxy servers or tunneling techniques to obscure the origin of their connection. To conceal malicious communication, attackers use encryption, but this adds an extra handshake to the process, which makes it even harder to detect the communication flow.
In this command, /dev/tcp/attackers_ip/attackers_port represents the IP address and port number the reverse shell will connect to.
Java reverse shell: Java reverse shells are implemented using libraries such as java.net.Socket. This attack involves establishing a socket connection to the threat actor's server to enable remote command execution.
Netcat reverse shell: An example of a Netcat reverse shell is
In this command, Netcat executes a shell connection to the specified IP address and port to establish a reverse shell.
Perl reverse shell: The IO::Socket module is commonly used to initiate a Perl reverse shell connection, enabling bidirectional communication between victims’ and attackers’ systems.
PHP reverse shell: For PHP reverse shells, the attacker uses PHP's socket functions (open and exec) to open a connection from a victim’s system to their system. The threat actor then executes commands to redirect communication to their system.
Python reverse shell: Python provides robust networking capabilities, making it well-suited to creating reverse shell connections. A Python reverse shell involves using the “socket” library to create a socket connection.
Ruby reverse shell: A Ruby reverse shell attack involves creating a socket connection to the attacker's server and establishing bidirectional communication for executing commands in a victim's system.
In most cases, hackers successfully execute reverse shell attacks because target systems are vulnerable. This is often worse in supply-chain attacks due to the large number of unsuspecting enterprises depending on cloud service providers. To execute such large-scale attacks, hackers release malicious packages, which, once installed, trigger the victims’ machines to establish reverse shell connections to the attackers’ machines. The packages may be disguised as software updates or other harmless-seaming packages.
The Wiz Research team secured backdoor access to two Alibaba cloud PostgreSQL databases: ApsaraDB RDS and AnalyticDB. The backdoor was a container vulnerability, #BrokenSesame, caused by inadequate container isolation and an accidental “write” permission to a private registry.
This access could have allowed threat actors to compromise the Alibaba supply chain, execute “write” operations on customers’ registries, and release reverse shell packages disguised as software updates.
The Wiz Research team leveraged a privilege escalation vulnerability named "Hell's Keychain" in IBM’s Cloud PostgreSQL database to uncover a set of vulnerabilities that could have allowed attackers to read and modify the data stored in IBM’s PostgreSQL databases.
The vulnerabilities include the Kubernetes service account token, the private container registry password, CI/CD server credentials, and overly permissive network access to internal build servers. If exploited, they would have exposed IBM customers to supply-chain attacks. (If this sounds familiar, it’s because this is similar to the ExtraReplica vulnerability, where Wiz researchers gained superuser privileges in a Azure PostgreSQL database.)
In October 2023, a group of security researchers discovered 48 malicious package.json files published by an npm user. The packages were disguised as legitimate files with innocuous names and were equipped with install hooks that trigger reverse shell commands to rsh.51pwn[.]com once the packages are installed.
After installation, a new process is automatically created (independent of the parent process, to avoid detection). The process runs the Java reverse shell script "scripts/rsh.js" in a detached mode and uses filterNet to discover IPv4 addresses that can be used to initiate a reverse shell connection through the compromised host system. The moment the reverse shell connection is established, the hacker (identified as hktalent) can potentially access the compromised organization’s systems, networks, and sensitive data.
Reverse shell attack prevention and detection tips
Here are eight strategies to tackle reverse shell attacks:
1. Complete regular security audits
Using automated AI-based tools, conduct regular vulnerability scanning and penetration testing to uncover potential entry points and misconfigurations. When you simulate real-world attacks, you can measure the effectiveness of your security investments.
2. Prioritize dependency management
Beware of software dependencies containing malicious code. Choose dependencies from carefully maintained repositories only, and verify software package names. Use AI-powered software composition analysis (SCA) tools to scan open-source packages before installation. The tool you choose must empower you to scan dependencies swiftly, identifying vulnerabilities in both installed and yet-to-be-installed software. It should also rank the vulnerabilities in order of priority.
3. Implement regular patch management
Keep your apps up to date with the latest security patches to apply fixes for known vulnerabilities that could be exploited to establish reverse shell connections. Staying updated also reduces your attack surface.
4. Focus on host-based and container security practices
Implement host-based security measures—including proper configuration management, least-privilege access control, and secure containerization. Container security keeps malicious actors from scraping container registries and isolates containers from one another to prevent lateral movement.
Enforce the principle of least privilege to ensure that users and apps have only the necessary access to perform specific tasks. As discovered in the Alibaba hack above, over-privileged accounts empower attackers to escalate their access. Utilize network segmentation to limit unauthorized communications and lateral movement within your network.
6. Leverage log monitoring and behavioral analysis
By actively monitoring system logs, including network traffic logs and command execution logs, you can detect suspicious activities and respond proactively. A centralized log monitoring tool backed by behavioral analysis technologies will help you analyze user and system behaviors to identify deviations from normal patterns.
7. Use firewalls and IDSes
Utilize advanced firewalls with eBPF functionalities. Unlike basic firewalls that control only incoming network traffic, eBPF configures your firewalls to manage outgoing traffic and detect reverse shell attacks. Additionally, implement an intrusion detection system (IDS) to complement firewalls. IDSes detect and alert on anomalous activities, such as unexpected outbound connections or unusual traffic patterns.
8. Employee education
Employee training helps increase awareness of cybersecurity threats, including social engineering tactics that may lead to reverse shell attacks. Encourage your employees to adopt secure practices, such as only clicking on verified links and leaving suspicious emails unread. Teach teams to recognize suspicious activities and report potential incidents (e.g, unauthorized access or data breaches).
Reverse shell attacks can have devastating consequences, but you can protect your organization. Prioritize defense against reverse shell attacks by investing in security solutions that implement the tips we’ve discussed in this article.
Enter Wiz. With our advanced threat detection capabilities and comprehensive defense-in-depth strategy against reverse shell attacks, Wiz is your ideal solution. Request a demo today to gain real-time visibility into your cloud environments and detect and resolve any indicators of reverse shell attacks.
A single platform for everything cloud security
Learn why CISOs at the fastest growing companies choose Wiz to secure their cloud environments.
Data access governance (DAG) is a structured approach to creating and enforcing policies that control access to data. It’s an essential component of an enterprise’s overall data governance strategy.
Cloud data security is the practice of safeguarding sensitive data, intellectual property, and secrets from unauthorized access, tampering, and data breaches. It involves implementing security policies, applying controls, and adopting technologies to secure all data in cloud environments.
SaaS security posture management (SSPM) is a toolset designed to secure SaaS apps by identifying misconfigurations, managing permissions, and ensuring regulatory compliance across your organization’s digital estate.
Data risk management involves detecting, assessing, and remediating critical risks associated with data. We're talking about risks like exposure, misconfigurations, leakage, and a general lack of visibility.
Cloud governance best practices are guidelines and strategies designed to effectively manage and optimize cloud resources, ensure security, and align cloud operations with business objectives. In this post, we'll the discuss the essential best practices that every organization should consider.