I understood the difference between them. The problem is I am not sure when to use each. I mean, if a firewall will block my connection to the target when I use bind shell, why the connection will not be blocked, when I send the payload again through reverse shell
Asked
Active
Viewed 860 times
1
-
I edited the title of your question to fit the question better. If you don't agree with that change, please feel free to roll it back to your initial title. – Feb 07 '20 at 13:47
1 Answers
4
In order to understand why one might work when the other might not, you need to look at how firewall configurations work.
Consider an average employee computer. Most, if not all connections, will be outgoing first. Any incoming data would be in response to an outgoing connection. As such, a simple bind shell may be blocked by the firewall. I'll illustrate this below:
I want to connect to this host
on your local network.
\
That does not seem right. \
I will block this. \
/ \
+----------+ +----------+ +----------+
/ /| / /| / /|
+----------+ | +----------+ | +----------+ |
| | | | | | | | |
| Employee | | <-/-/-/-/-+ | Firewall | | <-------------------------+ | Attacker | |
| Computer | + | | + | Computer | +
| |/ | |/ | |/
+----------+ +----------+ +----------+
However, a reverse shell looks to the firewall like the employee computer is initiating the connection to some remote host, and thus may accept it. You can imagine the situation like this:
I want to connect to
this host on the internet.
/
/ Seems normal to me.
/ Go ahead!
/ \
+----------+ +----------+ +----------+
/ /| / /| / /|
+----------+ | +----------+ | +----------+ |
| | | | | | | | |
| Employee | | +-------------------------> | Firewall | | +---------> | Attacker | |
| Computer | + | | + | Computer | +
| |/ | |/ | |/
+----------+ +----------+ +----------+
-
So we can say that reverse shell is like the targeted computer asks for a connection to the attacker's computer, so when when the attacker respond, the firewall will allow the response? – hosam.shafik Feb 08 '20 at 17:11
-
@hosam.shafik Exactly. Likewise, a bind shell may succeed on a server, because the server expects to respond to incoming requests. – Feb 09 '20 at 10:25
-
Your illustration is really cool. Can you please give me an example when to use to use bind shell and when to use reverse shell? – hosam.shafik Feb 10 '20 at 12:37
-
@hosam.shafik As I said in my answer, reverse shells work well when a firewall expects outgoing traffic, while bind shells work well when a firewall expects incoming traffic. Though of course, this is just a rule-of-thumb. – Feb 10 '20 at 13:00
-
Loving this ascii art! They should make this a standard for RFC's. – Beurtschipper Feb 10 '20 at 20:53
-
1@Graa I use [ASCIIFlow](https://asciiflow.com/) for this. And many many RFCs do have ASCII art – Feb 11 '20 at 09:52