In this video walk-through, we covered the different types of bind and reverse shells on Windows and Linux for the purpose of penetration testing training.

 In the simplest possible terms, shells are what we use when interfacing with a Command Line environment (CLI). In other words, the common bash or sh programs in Linux are examples of shells, as are cmd.exe and Powershell on Windows. When targeting remote systems it is sometimes possible to force an application running on the server (such as a webserver, for example) to execute arbitrary code. When this happens, we want to use this initial access to obtain a shell running on the target.

Get Reverse Shell Notes

In simple terms, we can force the remote server to either send us command line access to the server (a reverse shell), or to open up a port on the server which we can connect to in order to execute further commands (a bind shell).

We will be covering both of these scenarios in further detail throughout the room.

The format of this room is as follows:

  • The bulk of the room is made up of information, with examples given in code blocks and screenshots.
  • There are two VMs — one Linux, one Windows — in the last two tasks of the room. These can be used to practice the techniques demonstrated.
  • There are example practice questions in Task 13. Feel free to work through these, or follow along with the tasks as you complete them.

Room Link

Room Answers

Which type of shell connects back to a listening port on your computer, Reverse (R) or Bind (B)?
You have injected malicious shell code into a website. Is the shell you receive likely to be interactive? (Y or N)

When using a bind shell, would you execute a listener on the Attacker (A) or the Target (T)?

Which option tells netcat to listen?

How would you connect to a bind shell on the IP address: 10.10.10.11 with port 8080?

How would you change your terminal size to have 238 columns?

What is the syntax for setting up a Python3 webserver on port 80?

How would we get socat to listen on TCP port 8080?
What is the syntax for setting up an OPENSSL-LISTENER using the tty technique from the previous task? Use port 53, and a PEM file called “encrypt.pem”

If your IP is 10.10.10.5, what syntax would you use to connect back to this listener?

What command can be used to create a named pipe in Linux?

Which symbol is used to show that a shell is stageless?

What command would you use to generate a staged meterpreter reverse shell for a 64bit Linux target, assuming your own IP was 10.10.10.5, and you were listening on port 443? The format for the shell is elf and the output filename should be shell

What command can be used to start a listener in the background?

If we had just received our tenth reverse shell in the current Metasploit session, what would be the command used to foreground it?

Video Walk-through