Reverse shell

You: J.A.V.A. can you do a quick scan for me? We haven’t investigated the outbound traffic yet.

J.A.V.A.: Yes, sir. Outbound traffic investigation has begun.

THE NARRATOR: The outbound traffic? Why?

YOU: We have stopped some inbound access attempts, so we didn’t let the bad guys get in. How about the bad guys who are already inside? Also, no need to mention the insider risks, huh? The dwell time is still around 1-3 months, and I am quite new here, so it is worth checking the outgoing traffic as well.

J.A.V.A.: Sir, persistent outbound traffic is detected. Possibly a reverse shell…

YOU: You got it!

J.A.V.A.: Sir, you need to observe the traffic with Snort and identify the anomaly first. Then you can create a rule to stop the reverse shell. GOOD LUCK!

Start in sniffer mode and capture some data:

sudo snort -dev -l .

Investigate with the logfile just created:

sudo snort -r snort.log.1669602099

Port 4444?

$ sudo snort -r snort.log.1669602099 'port 4444' -n 10
WARNING: No preprocessors configured for policy 0.
11/28-02:21:39.625212 ->
TCP TTL:64 TOS:0x0 ID:9999 IpLen:20 DgmLen:52 DF
***A***F Seq: 0x2FE7575D  Ack: 0x56C876C1  Win: 0x1E9  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1980585364 2358417664 

WARNING: No preprocessors configured for policy 0.
11/28-02:21:39.645400 ->
TCP TTL:64 TOS:0x0 ID:11389 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x56C876C1  Ack: 0x2FE7575E  Win: 0x1EB  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2358417665 1980585364 

TCP port 4444. Metasploit.

Create a rule:

sudo nano /etc/snort/rules/local.rules
# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $
# ----------------
# ----------------
# This file intentionally does not come with signatures.  Put your local
# additions here.

drop tcp any 4444 <> any any (msg: "Reverse Shell Port Detected"; sid: 100001; rev:1;)

Start snort in IPS mode:

sudo snort -c /etc/snort/snort.conf -q -Q --daq afpacket -i eth0:eth1 -A full

And flag!