Command and Control: Bind vs Reverse Payloads
In today’s blog, we are going to learn a key concept related to how an attacker gains a foothold on your network: the difference between a bind and reverse payload. Attackers typically get an initial foothold by exploiting a vulnerability that allows them to execute code on a target. This can be through a web interface with a web command shell, through a common vulnerability such as MS17-010, or through built-in administrative tools such as PsExec using captured credentials. However, in order to gain complete control of a system, the attacker will next need to install a payload that allows them to send commands to that system that will be executed. We will look at a fundamental difference between the types of payloads that an attacker may choose to use, specifically, bind vs reverse payloads.
Bind Payloads
In a bind payload, the initial code execution vulnerability is used to install a backdoor and open another port on the victim machine. So for instance, if I have captured your password from somewhere, I can use Microsoft Window’s built-in functionality like PsExec to execute code using those credentials that installs a backdoor that listens on a port of my choice. Then, I will reach out from my attacking machine to that chosen port on the victim machine and have access execute commands. From there, I can do things like take pictures with your webcam, log your keystrokes, use your machine as a proxy to attack other machines on the network, etc.
One key thing about a bind payload is that the port is open on the victim machine. This means it might be available to whoever can interact with that port on the victim host. Although it is exceedingly rare, it has happened that a previously installed bind payload was found on a machine during a penetration test. Bind payloads can be protected from unauthorized use through an authentication mechanism or by IP filtering to allow connections from only the attacker’s address. Another important thing to keep in mind about bind payloads from a penetration tester’s perspective, is that the port used has to be accessible to the tester through any firewalls that may be present. Since the attacker is initiating the connection with the open port, that traffic has to be allowed through the firewall. This makes bind payloads very unlikely to be effective on externally facing systems or in heavily segmented environments.
Reverse Payloads
In a reverse payload, by contrast, an attacker uses the initial code execution to have the victim’s machine reach back out to the attacker’s machine for command and control. In this method, the attacker sets up a listening port, port 53 for example, and waits for the victim machine to reach back out and install the payload. This flow works in reverse to a bind payload, hence the name.
Reverse payloads have two distinct advantages over bind payloads, and that is why they are used more frequently. First, because the victim machine is reaching back to the attackers machine, there isn’t another open port on the victim machine. This prevents unwanted users from accessing it, but also means it is less obvious. Additionally, typically firewalls (both host based and network firewalls) are much more restrictive on inbound filtering than they are with outbound filtering. For example, consider your own organization. I am willing to bet if I scanned the IP range(s) associated with your organization I would see your marketing website, your VPN, and maybe a few other applications that are meant to be there. However, if I tried to connect to one of these systems over port 4444, from the example above, the request would be filtered. Conversely, within your organization you can probably reach out to websites on the Internet all day long because egress filtering is more challenging (and as such, less often implemented). Therefore, if I can have the payload reach back out to me, I have a better chance of getting past your firewall.
Conclusion
In summary, the difference between bind vs reverse payloads comes down to direction of traffic used to establish a connection, or who calls out to who. In a bind payload, the attacker reaches out to the victim machine on a new port while in a reverse payload, the victim reaches out to the attacker. Reverse payloads are usually better as they are more likely to bypass firewalls and less likely to be seen. As a result, reverse payloads are the most common, however, there are instances where a bind payload may be necessary.