Types of Shells

Getting a shell is basically tricking a victim system into executing a line of code that will create a "hopefully" hidden shell connection with the attacker. Once we compromise a system or exploit a vulnerability to execute commands remotely, we should look for a method to keep communication with the system open, to create persistence, so we don't have to perform the exploit for each command. We could use SSH or WinRM for this, but if we don't have the credentials its common to use a shell to maintain, improve or escalate privileges in the connection:

  • Reverse Shell: connects back to our system and gives us control through a reverse connection. We make the victim connect to us. Sneakier, helps evading detection, but fragile because if the connection drops we have to execute exploit again.

  • Bind Shell: once inside the victim we open a port and bind the victim's shell to it, then it waits for us to connect to it and grants control once we connect. Harder to establish but once open, we can drop and start connections as we please while the host is up and listening, we leave a door open.

  • Web Shell: attacker places the shell script in the webroot, executes it via HTTP request in our browser or curl and it gives control to the web server remotely. Easy to ignore firewall since goes through the same port as HTTP.

Shell script generators and cheat sheets link.

Web Shell script generators and cheat shells link.

Last updated