Shell Types

Sometimes, I have a hard time getting my brain around certain things. One such example is a bind shell and reverse shell. After reading the Metasploit section in Georgia Weidman’s Intro to Pentesting book, it all became clear.

In short, bind shell = I connect to you. Reverse shell, you connect to me. Simple.

Since I like analogies, here goes.

Bind shell. I have your phone number (IP address) and phone extension (port number). I call you on the phone. You answer. Now I can ask you to do things for me. Pretty straightforward. Except sometimes, there’s an operator in between. “You want to talk to who? Who is this? No, I will not put you through.” Maybe the operator even tells you “I just blocked that call for you. Bad, bad people.”

Because I can’t get through the operator (aka firewall), I might ask you to call me instead. I give you my phone number (LHOST) and my extension (LHOST, often 4444). So I call you, I’m blocked, but this triggers you to call me back. Now we have an open connection where I can ask you to do things for me. This is the reverse shell.

But then some companies realize this trick and they don’t let any phones call any other phone with an extension of 4444, aka egress filtering. But it’s totally normal and expected to call people on extension 80 or 443, so I ask you to call me on one of those. The filtering sees it as normal traffic and voila, we have a shell!

32 total views, 1 views today