[Snort-sigs] Reverse shell

Jamie Riden jamie.riden at ...2420...
Mon Mar 25 03:45:46 EDT 2013


You can detect most of these with signatures, but it's better to block
them frankly - just use a default DENY policy outbound on your
firewall. For example HTTP should only be allowed outbound from your
web proxy, DNS from your DNS resolvers, probably no SSH access needed
outbound...?

cheers,
 Jamie

On 25 March 2013 07:04, Aisling Brennan <aislingbrennan21 at ...2420...> wrote:
> Reverse shells allow access to internal systems without having incoming access to the network.
>
> Reverse shells force an internal system to actively connect out to an external system.
>
> Reverse shells can operate using any protocol/port combination that is allowed out of your network.
>
> Netcat - any TCP/UDP port
> Cryptcat - any TCP/UDP port with encryption
> Loki & Ping Tunnel - ICMP
> Reverse WWW Shell - HTTP
> DNS Tunnel - DNS
> Sneakin - Telnet
> Stunnel - SSL
> Secure Shell - SSH
> Custom Reverse Shell
>
> It is a method a hacker would use to access our systems that are behind a firewall.



-- 
Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...
http://uk.linkedin.com/in/jamieriden




More information about the Snort-sigs mailing list