In this video walk-through, we covered the different types of bind and reverse shells on Windows and Linux for the purpose of penetration testing training.
In the simplest possible terms, shells are what we use when interfacing with a Command Line environment (CLI). In other words, the common bash or sh programs in Linux are examples of shells, as are cmd.exe and Powershell on Windows. When targeting remote systems it is sometimes possible to force an application running on the server (such as a webserver, for example) to execute arbitrary code. When this happens, we want to use this initial access to obtain a shell running on the target.
In simple terms, we can force the remote server to either send us command line access to the server (a reverse shell), or to open up a port on the server which we can connect to in order to execute further commands (a bind shell).
We will be covering both of these scenarios in further detail throughout the room.
The format of this room is as follows:
- The bulk of the room is made up of information, with examples given in code blocks and screenshots.
- There are two VMs — one Linux, one Windows — in the last two tasks of the room. These can be used to practice the techniques demonstrated.
- There are example practice questions in Task 13. Feel free to work through these, or follow along with the tasks as you complete them.
When using a bind shell, would you execute a listener on the Attacker (A) or the Target (T)?
How would you connect to a bind shell on the IP address: 10.10.10.11 with port 8080?
What is the syntax for setting up a Python3 webserver on port 80?
If your IP is 10.10.10.5, what syntax would you use to connect back to this listener?
Which symbol is used to show that a shell is stageless?
What command would you use to generate a staged meterpreter reverse shell for a 64bit Linux target, assuming your own IP was 10.10.10.5, and you were listening on port 443? The format for the shell is
elf and the output filename should be
If we had just received our tenth reverse shell in the current Metasploit session, what would be the command used to foreground it?