PortShellCrypter: E2E encryption for multi-hop tty sessions or portshells

by do son · January 24, 2021

PortShellCrypter

PortShellCrypter allows to e2e encrypt shell sessions, single- or multip-hop, being agnostic of the underlying transport, as long as it is reliable and can send/receive Base64 encoded data without modding/filtering. Along with the e2e pty that you receive (for example inside a portshell), you can forward TCP and UDP connections, similar to OpenSSH’s -L parameter. This works transparently and without the need for an IP address assigned locally at the starting point. This allows forensicans and pentesters to create network connections for example via:

UART sessions to a device
adb shell sessions, if the OEM adbd doesn’t support TCP forwarding
telnet sessions
modem dialups without PPP
other kinds of console logins
mixed SSH/telnet/modem sessions
…

Just imagine you would have an invisible ppp session inside your shell session, without the remote peer actually supporting ppp.

It runs on Linux, Android, OSX, FreeBSD, NetBSD, and (possibly) OpenBSD.

PSC also includes SOCKS4 and SOCKS5 proxy support in order to have actual web browsing sessions via portshells or modem dialups remotely.

SOCKS4 and SOCKS5 support

pscl also supports forwarding of TCP connections via SOCKS4 (-4 port) and SOCKS5 (-5 port). This sets up the port as an SOCKS port for TCP connections, so for instance you can browse remote networks from a portshell session without the need to open any other connection during a pentest. For chrome, SOCKS4 must be used, as the PSC SOCKS implementation does not support resolving domain names on their own. Instead, it requires IPv4 or IPv6 addresses to be passed along. Since chrome will set the SOCKS5 protocol address type always to a domain name (0x03) – even if an IP address is entered in the address bar – SOCKS5 is not usable with chrome. But you can use chrome with SOCKS4 since this protocol only supports IPv4 addresses, not domain names.