Member-only story
Testing Ports For A Reverse Shell
You know that feeling? You’re having fun on a platform like HTB or THM and are fairly sure you’re able to set up a reverse shell, but you just can’t figure out which remote port to use. During practice I tend to reuse either the port I’m using to send the shell or some uncommon port like 9001. However, sometimes it’s needed to get more creative.
Not a member? Read this article for free on my site.
Since I don’t like manually testing 20 ports, I’ve automated parts of this process into something I like to call a ping pong test. On my own host, I run a series of basic python TCP listeners for a collection of common ports. When the listener is called, the server logs the requestor IP and its port. Finally, it sends the word pong.
On the target machine I try to contact my host on the same list of ports, in this context this is the ping. If we’re lucky, at least one of those outgoing connections is allowed through the firewall and other defenses in place.
Note that this article is written for educational purposes and is intended only for legal penetration testing and red teaming activities, where explicit permission has been granted. If you wish to test any of the scripts provided, please refer to the disclaimer at the end of this post.
Pong — The listener
The following, non exhaustive, list of common ports is used in my example scripts. Note that port 80 is not included, in most scenarios I’m running Apache on my host to serve files and exploits. The list should be tailored to your system, and services which you’re already running (e.g., FTP or SSH) should be excluded to avoid conflicts.
| Port | Protocol |
| - | - |
| 21 | FTP |
| 22 | SSH |
| 23 | Telnet |
| 25 | SMTP |
| 53 | DNS |
| 67 | DHCP |
| 88 | Kerberos |
| 110 | POP3 |
| 139 | NetBIOS |
| 143 | IMAP |
| 179 | BGP |
| 443 | HTTPS |
| 445 | SMB |
| 636 | LDAPS |
| 1433 | MSSQL |
| 2483 | Oracle DB |
| 3128 | Proxy |
| 3306 | MySQL |
| 3389 | RDP |
| 8080 | Alt HTTP |
| 8443 | Alt HTTPS |
