Today I am going to explain the difference between a bind shell and a reverse shell, but before to dive this far, let's just give a definition of a shell.

What is a shell ?

A shell is, in simple terms, is a way to interact with the operating system through the CLI (Command Line Interface), you type commands on your keyboards and an output is given by the system. Depending on what operating system you use, there is a different "type" of shell. If you use Windows, you may use the cmd or even PowerShell.

If you use GNU/Linux you may use Bash (Bourne-Again Shell) etc. This is a powerful way to interact with your system.

What is a bind shell ?

In cybersecurity and more specifically in the offensive side of cybersecurity, shells can be used to interact with a compromised system. There are two types of remote shell that can be used in this case. A bind shell or a reverse shell, let's talk about bind shell first.

No matter what type of shell (bind or reverse) there are two components to consider, the attacker and the victim. With a bind shell, the attacker obtain a remote code execution by connecting directly to the victim on a specific open port and the victim "listen" the inbound connection.

This kind of remote shell have a downside : this can be blocked by the firewall of the victim. However, the attacker don't need to configure anything on his network.

What about the reverse shell ?

If a bind shell can be blocked with firewall, how can an attacker get a remote shell and bypass this ? What if the attacker don't need to send a connection directly to the target ? Well, this is what reverse shell is about. To gain a reverse shell, the attacker "force" the victim to connect on his listener.

The firewall problem is not a problem anymore ! Yeah, this is not a problem anymore, but there is a drawback… The attacker have to configure his network to accept the inbound connection.

Practical example with Netcat

Bind shell

Here I have my host device on the left (PopOS) which is the attacker and a VM on the right (Debian) which is the victim.

First step, I set up a listener on the victim machine. For the educational purpose I did it manually but in a real life (legal) situation this is more complicated (another downside of bind shell).

Note that I used nc (netcat) -lvnp l(listener) v(verbose mode) n(tells netcat not to resolve host names or use DNS) p(port) -e(execute) /bin/bash (the default shell on Linux). I can also use the -e /bin/bash when I initiate the connection.

Reverse shell

Same idea here but more realistic. First I create a malicious file that contains the command to connect to me the attacker and send it to my victim. Then I set up a listener and wait for the victim to run the file.

And voila ! I got a remote reverse shell and I can execute commands on my victim's computer.