When I was learning this, I was disappointed with internet guides for setting up remote access, aka backdoor to a computer so here’s my contribution. Also, it’s important for security and privacy concerned people to understand this because these methods are often used maliciously to gain control over target computer.
In this article, I’m going to cover theory and practice behind binding TCP shells and reverse TCP shells. After that I will briefly touch upon their advanced versions – secure shells (SSH) and reverse secure shells.
Theory
Transmission Control Protocol (TCP) is a way to transfer data from one IP address to another. It’s used to transfer the command to the remote computer as well as the command output back to the command and control computer. In TCP connections, one side has to listen for a connection and the other side has to connect.
There are 2 ways to get a shell on remote machine:
Remote machine listens for a connection. There has to be a process on the remote machine that waits for a connection and executes a shell once the connection is established.
Remote machine connects to us. This one goes the other way around – local command and control machine has to listen for a connection and remote machine has to ‘send’ a shell to the listener.
Which one is better? Of course, it depends on the circumstances, otherwise one wouldn’t be mentioned. Each paragraph explains corresponding row in the table below.
At a first glance, option #1 seems superior because we can connect to remote computer anytime, instantly. When using reverse shell, persistent backdoors try to connect to the control computer periodically, so we usually have to wait.
By default, firewall blocks all connections to the machine. To allow connections to the listener process, firewall must open that port. Firewall only works for incoming connection, it has no restrictions on outgoing connections so by choosing option #1 or option #2, you’re also choosing which computer’s firewall you need to configure. This is why hackers prefer reverse shells – it’s easier to configure their than victim’s firewall.
When using TCP connection, each side’s router assigns a unique port to a specific computer in local area network. That’s how the router knows which packet should be sent to what computer in LAN. If we try to connect to our listener on remote machine (option #1) without configuring the router to forward our connection to the exact computer and exact process, the router will refuse connection because it doesn’t know where to send the packet. By choosing option #1 or option #2, you’re also choosing which router needs to be configured to port forward the connection. Obviously, hackers prefer to configure their router, rather than their victim’s.