We talk about reverse shells a lot. We know that they're a hacker's best friend, but how do they actually work? Well, today you're going to find out.
Here we are in the infamous Kali Linux, and I've already created a malicious payload with a pretty popular RAT generator that can be found on GitHub. This is some straight-up script-kiddie malware, but that's fine because most attacks are done by skids anyway. Even this crap is going to be able to bypass Windows Defender, as I'll show you right now.
Here we are in a Windows 11 VM that's fully updated. If I open up the Windows Security tab, you can see that everything is set up. The only thing it's really complaining about in the Virus and Threat Protection tab is that it wants me to set up OneDrive for file recovery. Microsoft wants me to do this, I guess, to protect myself from ransomware. But all this will really help with is recovering from a cyber attack, not actually stopping one from happening.
As far as Windows is concerned, this is pretty much full protection. I even went into the Device Security tab and enabled the Core Isolation feature for the memes. Now, if I go ahead and scan this evil .bat file with Windows Defender (or Microsoft Defender, rather—they renamed it), you can see that we get a clean bill of health. I didn’t even have to do a manual scan since Microsoft scans everything on a Windows 11 machine anyway, at least batch files and .exes.
I can even scan it with Malwarebytes because I decided to install Malwarebytes on this VM too, for the memes. You can see that the custom scan is in progress here. The scan is complete—nothing malicious has been found with this evil .bat file.
I actually plugged this evil .bat file into VirusTotal earlier, and only 2 out of 61 anti-malware solutions were able to detect it. This is the reason why security professionals—who don’t actually make money from selling snake-oil software and aren’t affiliated with any vendors—will tell you that antivirus software doesn’t matter that much. They might even tell you that the best antivirus out there is common sense.
This malware doesn’t take any coding or hacking expertise to use. It was created by an automated tool found on GitHub. If this was malware someone wrote from scratch, it would probably be fully undetectable by all antivirus programs until a signature was created for it—long after damage had already been done.
Technical Breakdown of the Malware
Let’s see what this evil .bat file actually looks like.
This file is calling on PowerShell with some additional flags to keep the window hidden and prevent it from closing after execution. Then we see a bunch of what looks like complete gibberish being fed into PowerShell. The reason it looks like gibberish is that it’s Base64 encoded.
When we decode it, we start to get something legible. However, all of this source code is still scrunched together. I’ve reformatted it and added a few comments for clarity.
Reformatted Code Explanation:
- Connection Details:
- The script defines the attacker’s IP address and the port for communication.
- In a real attack, this IP would likely be public, not local, unless the attacker is on-site.
- TCP Socket Establishment:
- A TCP socket is created for communication with the attacker.
- A buffer is initialized to store incoming data (up to 65,535 bytes).
- The prompt string for the attacker includes "PS" (PowerShell) and the current working directory.
- Execution Loop:
- Incoming commands from the attacker are read, converted from bytes to strings, and executed.
- The output or errors from these commands are sent back to the attacker.
- Final Steps:
- A flush command ensures all data is sent out immediately.
Execution and Demonstration
On the attacker’s side, I’ve started a handler in msfconsole to listen for incoming connections. It listens on the attacker’s IP and port. Once connected, the handler provides a shell to control the victim’s machine.
Switching to the victim’s device, I initialize the .bat file. A terminal window pops up briefly and closes. On the attacker’s machine, we now see the shell prompt, complete with the file path where the script was executed.
From here, I can run commands, download/upload files, encrypt the hard drive, or even execute more sinister malware.
