Sniffing the Reverse Shell
Kalaimani
Posted on March 25, 2022
This is a follow up of my previous post Glimpse of Reverse Shell
Now we are going to see how the reverse shell's network traffic looks like using the Wireshark.
First start Wireshark (assuming that you have already installed it in your machine) and click the capture button after selecting your targeted network interface (in my case I have only one "Ethernet").
Then follow the steps from Glimpse of Reverse Shell and type any command in the reverse shell. It will generate some network and it will show up on the WireShark at midst of other network activities.
In our case we know the destination port is 8989, so we can apply it as filter like this,
Then we can follow the TCP stream of the filtered traffic
Finally we get see the result of the command that have executed remotely
Again it is very beginner level demonstration of how to look for network traffic of a naive reverse shell. In real world scenario it would be complicated to varying degrees. For example the network traffic might be encrypted or the data might be obfuscated. I hope this helps you to get some basic understanding of the reverse shell's traffic..
Posted on March 25, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.