ReverseShell
|
Size: 4930
Comment:
|
Size: 4662
Comment: Cleaned up article some
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| == What is the Reverse Shell technique and when or why i have to use it? == | == What is the Reverse Shell technique and when or why I have to use it? == |
| Line 3: | Line 3: |
| If the machine that you're trying to administrate is behind a firewall that is not under your control ,and you need to access to it immediately to correct a dangerous problem or simply if you need to monitor the system to view if all its ok , you will need to use the reverse shell technique that will easily give you the access to your server also with a firewall installed. This technique is not so similar to ssh or the port knocking one, its different , i can give a starting idea of what reverse shell will do writing the two most important areas where this technique is divided: | If the machine that you're trying to administer is behind a restrictive firewall that is not under your control, you will need to use the reverse shell technique to give you remote access to the server. This technique utilizes a somewhat unusual ssh connection sequence that can be broken down as: |
| Line 5: | Line 5: |
| * '''First Session''' Server become client and start the connession and the client become server and receive the informations | * '''First Session''' Server becomes a client and start the connection and the client become server and receive the information |
| Line 7: | Line 7: |
| * '''Second Session''' When the channel is ready(after a procedure), roles return to be the correct ones for a normal client-server comunication. | * '''Second Session''' When the channel is ready(after a procedure), roles return to be the correct ones for a normal client-server communication. |
| Line 9: | Line 9: |
| == More informations about reverse shell == | That is to say, the server first connects to the client, placing the burden of accepting incoming connections on the client and thus offering a way around the restrictive firewall. |
| Line 11: | Line 11: |
| '''Which protocol must be used for this technique?what about the sincronization between server-client?and which tools i will have to use to create an inverse channel?''' | == More details about reverse shell == |
| Line 13: | Line 13: |
| * Of course you will use the ssh protocol with certificates and algorithms , with public/private keys. | '''Which protocol must be used for this technique? What about the synchronization between server-client? Which tools i will have to use to create an reverse channel?''' |
| Line 15: | Line 15: |
| * Its important for the sincronization between server-client to make it accesible without the hand of another person that is near the server so it must happen with regular time intervals.(for example with a cron job) | * Of course you will use the ssh protocol with certificates and algorithms, with public/private keys. |
| Line 17: | Line 17: |
| * The tools that can be used for the reverse shell technique are more then one , but for the next examples ill use the program named '''RevSh'''. | * Its important for the synchronization between server-client to make automate the process. Cron may be used such that the server connects back at regular intervals ensuring the connection is always active. |
| Line 19: | Line 19: |
| == Lets start : First step == | * Multiple tools provide the reverse connection technique, but this wiki focuses on the rogram named '''RevSh'''. |
| Line 21: | Line 21: |
| Before doing anything , you have to create a '''ssh-keygen''' how? here it is the solution: | == Step 1 : Generate SSH Keys == Before doing anything, use '''ssh-keygen''' to create a key pair to allow password-less authentication: |
| Line 29: | Line 31: |
| After there will be inside that folder two files(public/private key), remember to set the correct permissions to that two files to stop people that can try to access them from outside. After you have done this step we can go ahead with the second step . Now you have to copy the pre-generated public keys from the server to the client,the point where the public key must be copyed is ~/.ssh/authorized_keys ,then follow this commands : |
This will generate two files--public and private key file--inside ~/.ssh. Remember to set the correct permissions to those two files to prevent other users from accessing them. Now copy the generated public keys from the server to the client. The public key must be inserted into ~/.ssh/authorized_keys: |
| Line 38: | Line 40: |
| chmod 600 ~/.ssh/autorized_keys | chmod 600 ~/.ssh/authorized_keys |
| Line 44: | Line 46: |
| == Next Step : Compile RevSh == | == Step 2 : Compile RevSh == |
| Line 60: | Line 62: |
| After in the /etc/hosts file you will have to add the server hostname followed by the public ip of the firewall that protect it . You can easily know what is the hostname by using this command : |
After in the /etc/hosts file you will have to add the server hostname followed by the public IP of the firewall that protects it. You can easily know what the hostname is by typing: |
| Line 67: | Line 69: |
| == Third Step : Server-Client sincronization == | == Step 3 : Server-Client synchronization == |
| Line 69: | Line 71: |
| Now we have to create a comunication channel , how? just follow the following instructions ,open your terminal and write this commands : | Now we have to create a communication channel. |
| Line 72: | Line 74: |
| revsh ssh -o PreferredAuthentication=publickey | revsh ssh -o PreferredAuthentication=publickey |
| Line 76: | Line 78: |
| Now the server will wait the client "wake up" to start the comunication. | Now the server will wait the client "wake up" to start the communication. |
| Line 79: | Line 81: |
| * -o this command is a derivation of the ssh sintax and determine the options that can be used/activated | * -o this command is a derivation of the ssh syntax and determines the options that can be used/activated |
| Line 81: | Line 83: |
| * -p client port where the ssh service is working.In our example is 35000 | * -p client port where the ssh service is working. In our example is 35000 |
| Line 83: | Line 85: |
| After this step ,you can easily make the channel, activated before by the server,operative and ready to accept new connections.Just use this command : | With the server connected to the client the '''First Session''' is now active. We can now create the '''Second Session''' by executing the following on the client machine. |
| Line 89: | Line 91: |
| If you have followed step by step this guide ,now you will be able to have working ssh interface where you can easily operate like a normal ssh connection started in a normal mode. | You now have working SSH interface from the client machine to the remote server. Use this just like a standard SSH connection. |
| Line 92: | Line 94: |
| == Automatic sincronization at the first step == | == Automatic synchronization == |
| Line 94: | Line 96: |
| You can do one more step to improve what you have done before, what im talking about? well ,as i said at the beginning you can create a script that will start the sincronization without doing anything. Just use this commands to create the script im talking about : |
Using the following script, the '''First Session''' can be automated such that the connection is always active. This will allow true remote administration as the server will connect to the client machine automatically, preventing the need for human interaction until the client is ready to connect. |
| Line 104: | Line 104: |
| Done? perfect ,now you have only to add it to the /etc/crontab file to start it in a specified hour during the day. Thats all , i hope this wiki page will be usefull to the community. |
Save this as a script and set it to execute via crontab or by linking in one of the /etc/cron.FREQUENCY/ folders. Hourly is recommended, but more frequently may be desirable depending on the stability of your internet connection and how long you're willing to wait before a reverse shell can be initiated. |
What is the Reverse Shell technique and when or why I have to use it?
If the machine that you're trying to administer is behind a restrictive firewall that is not under your control, you will need to use the reverse shell technique to give you remote access to the server. This technique utilizes a somewhat unusual ssh connection sequence that can be broken down as:
First Session Server becomes a client and start the connection and the client become server and receive the information
Second Session When the channel is ready(after a procedure), roles return to be the correct ones for a normal client-server communication.
That is to say, the server first connects to the client, placing the burden of accepting incoming connections on the client and thus offering a way around the restrictive firewall.
More details about reverse shell
Which protocol must be used for this technique? What about the synchronization between server-client? Which tools i will have to use to create an reverse channel?
- Of course you will use the ssh protocol with certificates and algorithms, with public/private keys.
- Its important for the synchronization between server-client to make automate the process. Cron may be used such that the server connects back at regular intervals ensuring the connection is always active.
Multiple tools provide the reverse connection technique, but this wiki focuses on the rogram named RevSh.
Step 1 : Generate SSH Keys
Before doing anything, use ssh-keygen to create a key pair to allow password-less authentication:
mkdir ~/.ssh chmod 777 ~/.ssh ssh-keygen -q -f ~/.ssh/id_rsa -t rsa
This will generate two files--public and private key file--inside ~/.ssh. Remember to set the correct permissions to those two files to prevent other users from accessing them.
Now copy the generated public keys from the server to the client. The public key must be inserted into ~/.ssh/authorized_keys:
mkdir ~/.ssh chmod 777 ~/.ssh cat /id_rsa.pub >> ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys rm /id_rsa.pub
Doing this you will create the ssh folder inside the root one on the client machine, after the authorized_keys will be moved inside and the permission will be set ,that make possible only to you to view that file.
Step 2 : Compile RevSh
Now you have to download and install RevSh program in both server and client using this commands :
wget http://www.guru-group.fi/~too/sw/revsh/revsh-1.92.tar.gz tar zxvf revsh-1.92.tar.gz cd revsh-1.92 sh revsh.c + exec gcc -Wall -s -02 -O revsh /root/update/revsh-1.92/revsh.c -lutil 'DVEDA= "1.92(r756,2006-02-02 19:57:54Z)"' cp revsh /usr/bin cd ..
After in the /etc/hosts file you will have to add the server hostname followed by the public IP of the firewall that protects it. You can easily know what the hostname is by typing:
hostname
Step 3 : Server-Client synchronization
Now we have to create a communication channel.
revsh ssh -o PreferredAuthentication=publickey root@IP_pubclient -p 35000
Now the server will wait the client "wake up" to start the communication. Lets take a look to the options used above :
- -o this command is a derivation of the ssh syntax and determines the options that can be used/activated
- IP_pubclient client address in ip numeric format (10.x.x.x)
- -p client port where the ssh service is working. In our example is 35000
With the server connected to the client the First Session is now active. We can now create the Second Session by executing the following on the client machine.
revsh serverhostname shell
You now have working SSH interface from the client machine to the remote server. Use this just like a standard SSH connection.
Automatic synchronization
Using the following script, the First Session can be automated such that the connection is always active. This will allow true remote administration as the server will connect to the client machine automatically, preventing the need for human interaction until the client is ready to connect.
!/bin/sh revsh ssh -o PreferredAuthentications=publickey root@IP_pubclient -p portnumber
Save this as a script and set it to execute via crontab or by linking in one of the /etc/cron.FREQUENCY/ folders. Hourly is recommended, but more frequently may be desirable depending on the stability of your internet connection and how long you're willing to wait before a reverse shell can be initiated.
ReverseShell (last edited 2008-08-06 16:16:02 by localhost)