LOGBOOK

HELP

Quiz Entry - updated: 2026.07.01

In a reverse shell (e.g. a windows/meterpreter/reverse_tcp payload), who initiates the network connection, and why is that the clever part?

The victim connects outward to the attacker's waiting listener — so the shell slips past firewalls and NAT that block incoming connections.

Reverse shell: the victim dials out through the firewall to the attacker's listener (allowed); bind shell: the attacker tries to connect inward to a port the victim opened (blocked).

* Reverse vs bind shell: outbound victim-initiated connections slip through; inbound attacker-initiated ones get blocked. *

There are two ways to wire up a remote shell:

  • Bind shell: the malware opens a listening port on the victim and the attacker connects in. Problem: inbound connections are usually blocked by the victim's firewall/NAT.
  • Reverse shell: the malware dials back out to the attacker (LHOST/LPORT = the attacker's IP and port). Outbound traffic is almost always allowed, so this works from behind firewalls and home routers.

reverse_tcp is the reverse-shell transport; Meterpreter is the payload it carries — an in-memory agent with rich built-in commands (browse files, screenshot, dump hashes, pivot) that never touches disk as a separate program.

Tip: Bind = "attacker knocks on victim's door" (often locked). Reverse = "victim calls the attacker" (the call gets out).

From Quiz: INTROL / Password Cracking | Updated: Jul 01, 2026