ReverseShell

Revision 3 as of 2006-04-11 20:02:17

Clear message

What is the Reverse Shell technique and when or why i have to use it?

If the machine that you're trying to administrate is behind a firewall that is not under your control ,and you need to access to it immediately to correct a dangerous problem or simply if you need to monitor the system to view if all its ok , you will need to use the reverse shell technique that will easily give you the access to your server also with a firewall installed.This technique is not so similar to ssh or the port knocking one, its different , i can give a starting idea of what reverse shell will do writing the two most important areas where this technique is divided:

  • First Session Server become client and start the connession and the client become server and receive the informations

  • Second Session When the channel is ready(after a procedure), roles return to be the correct ones for a normal client-server comunication.

More informations about reverse shell

Which protocol must be used for this technique?what about the sincronization between server-client?and which tools i will have to use to create an inverse channel?

Of course you will use the ssh protocol with certificates and algorithms , with public/private keys.

Its important for the sincronization between server-client to make it accesible without the hand of another person ,that is near the server so it must happen with regular intervals.(for example with a cron job)

The tools that can be used for the reverse shell technique are more then one , but for the next examples ill use the program named RevSh.

Lets start : First step

Before doing anything , you have to create a ssh-keygen how? here it is the solution:

mkdir ~/.ssh
chmod 777 ~/.ssh
ssh-keygen -q -f ~/.ssh/id_rsa -t rsa

After there will be inside that folder two files(public/private key), remember to set the correct permissions to that two files to stop people that can try to access them from outside. After you have done this step we can go ahead with the second step . Now you have to copy the pre-generated public keys from the server to the client,the point where the public key must be copyed is /home/ssh/authorized_keys ,then follow this commands :

mkdir ~/.ssh
chmod 777 ~/.ssh
cat /id_rsa.pub >>
~/.ssh/authorized_keys
chmod 600 ~/.ssh/autorized_keys
rm /id_rsa.pub

Doing this you will create the ssh folder inside the root one on the client machine, after the authorized_keys will be moved inside and the permission will be set ,that make possible only to you to view that file.

Next Step : Compile RevSh

Now you have to download and install RevSh program in both server and client using this commands :

wget http://www.guru-group.fi/~too/sw/revsh/revsh-1.92.tar.gz
tar zxvf revsh-1.92.tar.gz
cd revsh-1.92
sh revsh.c
+ exec gcc -Wall -s -02 -O revsh
/root/update/revsh-1.92/revsh.c -lutil 'DVEDA=
"1.92(r756,2006-02-02 19:57:54Z)"'
cp revsh /usr/bin
cd ..

After in the /etc/hosts file you will have to add the server hostname followed by the public ip of the firewall that protect it . You can easily know what is the hostname by using this command :

hostname

Third Step : Server-Client sincronization

Now we have to create a comunication channel , how? just follow the following instructions ,open your terminal and write this commands :

revsh ssh -o PreferredAuthentication=publickey
root@IP_pubclient -p 35000

Now the server will wait the client "wake up" to start the comunication. Lets take a look to the options used above :

  • -o this command is a derivation of the ssh sintax and determine the options that can be used/activated
  • IP_pubclient client address in ip numeric format (10.x.x.x)
  • -p client port where the ssh service is working.In our example is 35000

After this step ,you can easily make the channel, activated before by the server,operative and ready to accept new connections.Just use this command :

 revsh serverhostname shell

If you have followed step by step this guide ,now you will be able to have working ssh interface where you can easily operate like a normal ssh connection started in a normal mode.

Automatic sincronization at the first step

You can do one more step to improve what you have done before, what im talking about? well ,as i said at the beginning you can create a script that will start the sincronization without doing anything. Just use this commands to create the script im talking about :

!/bin/sh
revsh ssh -o PreferredAuthentications=publickey
root@IP_pubclient -p portnumber

Done? perfect ,now you have only to add it to the /etc/crontab file to start it in a specified hour during the day.

Thats all , i hope this wiki page will be usefull to the community.