* [List of Metasploit reverse shells](#list-of-metasploit-reverse-shells)
* [Windows common reverse shell](#windows-common-reverse-shell)
* [Linux common reverse shell](#linux-common-reverse-shell)
* [When to use a reverse shell](#when-to-use-a-reverse-shell)
* [When a reverse shell isn't needed](#when-a-reverse-shell-isnt-needed)
* [How to set up for a reverse shell during payload generation](#how-to-set-up-for-a-reverse-shell-during-payload-generation)
* [Demonstration](#demonstration)
* [Step 1: Generate the executable payload](#step-1-generate-the-executable-payload)
* [Step 2: Copy the executable payload to box B](#step-2-copy-the-executable-payload-to-box-b)
* [Step 3: Set up the payload handler on box A](#step-3-set-up-the-payload-handler-on-box-a)
* [Step 4: Double-click on the malicious executable](#step-4-double-click-on-the-malicious-executable)
* [Step 5: View the meterpreter/payload session on box A](#step-5-view-the-meterpreterpayload-session-on-box-a)
There are two popular types of shells: bind and reverse.
Bind shell - Opens up a new service on the target machine and requires the attacker to connect to it to get a session.
Reverse shell - A reverse shell is also known as a connect-back. It requires the attacker to set up a listener first on his box, the target machine acts as a client connecting to that listener, and then finally, the attacker receives the shell.
You can learn more about the primary use of payloads in the 5.2.4 Selecting the Payload section of the old [Metasploit Users Guide](http://cs.uccs.edu/~cs591/metasploit/users_guide3_1.pdf).
As a rule of thumb, always pick a Meterpreter, because it currently provides better support of the post-exploitation Metasploit has to offer. For example, railgun, post modules, different meterpreter commands.
In Windows, the most commonly used reverse shell is `windows/meterpreter/reverse`. You can also use `windows/meterpreter/reverse_http` or `windows/meterpreter/reverse_https` because their network traffic appears a little bit less abnormal.
Generally speaking, if you can backdoor an existing service, you may not need a reverse shell. For example, if the target machine is already running an SSH server, then you can try adding a new user to it and use that.
If the target machine is running a web server that supports a server-side programming language, then you can leave a backdoor in that language. For example, many Apache servers support PHP, then you can use a PHP "web shell". IIS servers usually support ASP or ASP.net. The Metasploit Framework offers payloads in all these languages and many others.
* **LHOST** - This is the IP address you want your target machine to connect to. If you're in a local area network, it is unlikely your target machine can reach you unless you both are on the same network. In that case, you will have to [find out your public-facing IP address](https://www.google.com/webhp?q=ip#q=ip), and then configure your network to port-forward that connection to your box. LHOST should not be "localhost", or "0.0.0.0", or "127.0.0.1", because if you do, you're telling the target machine to connect to itself (or it may not work at all).
When you set up a listener for the reverse shell, you also at least need to configure LHOST and LPORT, but slightly different meanings (different perspective):
* **LHOST** - This is the IP address you want your listener to bind to.
* **LPORT** - This is the port you want your listener to bind to.
You should make sure the listener has started first before executing the reverse shell.
