In a reverse shell (e.g. a windows/meterpreter/reverse_tcp payload), who initiates the network connection, and why is that the clever part?
The victim connects outward to the attacker's waiting listener — so the shell slips past firewalls and NAT that block incoming connections.
* Reverse vs bind shell: outbound victim-initiated connections slip through; inbound attacker-initiated ones get blocked. *
There are two ways to wire up a remote shell:
- Bind shell: the malware opens a listening port on the victim and the attacker connects in. Problem: inbound connections are usually blocked by the victim's firewall/NAT.
- Reverse shell: the malware dials back out to the attacker (
LHOST/LPORT= the attacker's IP and port). Outbound traffic is almost always allowed, so this works from behind firewalls and home routers.
reverse_tcp is the reverse-shell transport; Meterpreter is the payload it carries — an in-memory agent with rich built-in commands (browse files, screenshot, dump hashes, pivot) that never touches disk as a separate program.
Tip: Bind = "attacker knocks on victim's door" (often locked). Reverse = "victim calls the attacker" (the call gets out).