Now the attacker needs to (manually or automatically) execute code on the remote machine to connect to the listener. This will start a netcat listener on port 1111. On Linux, this can be as simple as one netcat command: ncat -l -p 1111 To start with, the attacker needs to start a listener process on their system to listen for reverse shell connections incoming to their IP address, for example 10.0.0.123.
The injected code will often be a reverse shell script to provide a convenient command shell for further malicious activities. When attempting to compromise a server, an attacker may try to exploit a command injection vulnerability on the server system. Firewalls mostly filter incoming traffic, so an outgoing connection to a listening server will often succeed. For example, a piece of malware installed on a local workstation via a phishing email or a malicious website might initiate an outgoing connection to a command server and provide hackers with a reverse shell capability. However, they can also be used by cybercriminals to execute operating system commands on hosts protected from incoming connections by a firewall or other network security systems. Reverse shells are often the only way to perform remote maintenance on hosts behind a NAT, so they have legitimate administrative uses. But what if the remote host is not directly accessible, for example because it has no public IP or is protected by a firewall? In this situation, a reverse shell might be used, where the target machine initiates an outgoing connection to a listening network host and a shell session is established. To establish a typical remote shell, a machine controlled by the attacker connects to a remote network host and requests a shell session – this is called a bind shell. Let’s see how reverse shells work in practice and what you can do to prevent them. A reverse shell (also called a connect-back shell) can also be the only way to gain remote shell access across a NAT or firewall.
Attackers who successfully exploit a remote command execution vulnerability can use a reverse shell to obtain an interactive shell session on the target machine and continue their attack. A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the local host.