DEV Community

Cover image for Sniffing the Reverse Shell
Kalaimani
Kalaimani

Posted on • Updated on

Sniffing the Reverse Shell

This is a follow up of my previous post Glimpse of Reverse Shell

Now we are going to see how the reverse shell's network traffic looks like using the Wireshark.

First start Wireshark (assuming that you have already installed it in your machine) and click the capture button after selecting your targeted network interface (in my case I have only one "Ethernet").

Image description

Then follow the steps from Glimpse of Reverse Shell and type any command in the reverse shell. It will generate some network and it will show up on the WireShark at midst of other network activities.

Image description

In our case we know the destination port is 8989, so we can apply it as filter like this,

Image description

Then we can follow the TCP stream of the filtered traffic

Image description

Finally we get see the result of the command that have executed remotely

Image description

Again it is very beginner level demonstration of how to look for network traffic of a naive reverse shell. In real world scenario it would be complicated to varying degrees. For example the network traffic might be encrypted or the data might be obfuscated. I hope this helps you to get some basic understanding of the reverse shell's traffic..

Discussion (0)