[BlackHat USA tool] SSHoRTy: progressive, customizable standalone reverse SSH shell tunnel and SOCKS proxy

by do son ·

SSHoRTy

What is SSHoRTy?

A standalone Reverse SSH shell tunnel and SOCKS Proxy implant for Red Teams operating in Linux and MacOS systems.

Why SSHoRTy?

SSHoRTy wants to:

  • Establish a reverse SSH tunnel from Blue to Red
  • Not be based on instrumented SSH clients on the Blue side
  • Be able to pierce HTTP/S [authenticating] proxies on the way out
  • Be able to mimic HTTP/S traffic by being wrapped in Websockets.
  • Be able to be cut for a specific environment with backend support
  • Be progressive: Do not care what C2 you use to connect from the RTO side to the Implant tunnel.
  • Open up SOCKS on the launch of reverse tunnel. Use your Red browser to exit on the Blue side
  • Be flexible in deployment. Achieve anti-attribution, and terminate SSH and Web unwraps at different rendezvous
  • Deploy in one file. No time for Blue to fiddle with ssh parameters.

Architecture and Design

Diagram: Design

Diagram: Usage

Diagram: Detection

Install && Use

Copyright (C) 2019 dsnezhkov

Tags: SSHoRTy