Asynchronous reverse shell using the HTTP protocol

by do son · Published February 18, 2020 · Updated February 18, 2020

HTTP Asynchronous Reverse Shell

Why?

Today there are many ways to create a reverse shell in order to be able to remotely control a machine through a firewall. Indeed, outgoing connections are not always filtered.

However, security software and hardware (IPS, IDS, Proxy, AV, EDR…) are more and more powerful and can detect these attacks. Most of the time the connection to a reverse shell is established through a TCP or UDP tunnel.

I figured that the best way to stay undetected would be to make it look like legitimate traffic. The HTTP protocol is the most used by a standard user. Moreover, it is almost never filtered so as not to block access to websites.

How it works?

The client app is executed on the target machine.
The client initiates the connection with the server.
The server accepts the connection.

Then:
-The client queries the server until it gets instructions.
-The attacker provides instructions to the server.
-When a command is defined, the client executes it and returns the result.

And so on, until the attacker decides to end the session.

Disclaimer

This tool is only intended to be a proof of concept demonstration tool for authorized security testing. Make sure you check with your local laws before running this tool.