Reverse SSH shell

The first client starts a systemd service which creates a SSH connection and forwards the local port 22 (SSH) to the remote server on port 2022.

Because normaly outgoing traffic is not blocked, a firewall should allow this connection.

If we login to the remote host from a second client elswhere, we can ssh to the local host 2022 and connect to the first client.

SSH key

Generate a SSH key and Press enter for no passphrase.

$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/revssh/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/revssh/.ssh/id_ed25519
Your public key has been saved in /home/revssh/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:WluxccRd0RGHsyZb3WxWHH8vE7niDa9A2hI88kjN8S4 revssh@asrv0000019
The key's randomart image is:
+--[ED25519 256]--+
|           ... OO|
|           .. +.*|
|        . o . o==|
|       + o =. +oO|
|      o S = o=+o.|
|     . * X ..= o |
|      o E + . o  |
|         o . .   |
|            .    |
+----[SHA256]-----+

Create a user revssh on the remote host and add id_ed25519.pub to the authorized_keys.

$ ls -l .ssh/*
-rw------- 1 revssh revssh 296 Oct  9 15:43 .ssh/authorized_keys
-rw------- 1 revssh revssh 411 Oct  9 15:39 .ssh/id_ed25519
-rw-r--r-- 1 revssh revssh 100 Oct  9 15:39 .ssh/id_ed25519.pub

Upload the file id_ed25519 to the first client and save it as /etc/revssh/id_ed25519

# ls -l /etc/revssh/id_ed25519
-rw------- 1 root root 411 Oct  9 15:52 /etc/revssh/id_ed25519

revssh.service

Upload the unit file to /etc/systemd/system/revssh.service.

[Unit]
Description=Reverse SSH Service
ConditionPathExists=|/usr/bin
After=network.target

[Service]
ExecStart=/usr/bin/ssh -NTC -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -o StrictHostKeyChecking=no -i /etc/revssh/id_ed25519 -R 2022:localhost:22 revssh@asrv000019.griend.eu
RestartSec=5
Restart=always

[Install]
WantedBy=multi-user.target

Enable and start the service:

# systemctl daemon-reload
# systemctl enable revssh.service
Created symlink /etc/systemd/system/multi-user.target.wants/revssh.service → /etc/systemd/system/revssh.service.
# systemctl start revssh.service
# systemctl status revssh.service
● revssh.service - Reverse SSH Service
     Loaded: loaded (/etc/systemd/system/revssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2021-10-09 16:07:38 CEST; 44s ago
   Main PID: 4205 (ssh)
      Tasks: 1 (limit: 4654)
     Memory: 1000.0K
        CPU: 25ms
     CGroup: /system.slice/revssh.service
             └─4205 /usr/bin/ssh -NTC -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -o StrictHostKeyChecking=no -i /etc/revssh/id_ed25519 -R 2022:localhost:22 revssh@www.griend.eu

Login to remote server

On port 2022 the remote server is listening:

$ ss -tlpn
State     Recv-Q    Send-Q        Local Address:Port          Peer Address:Port    Process
LISTEN    0         100               127.0.0.1:52639              0.0.0.0:*        users:(("python3",pid=29520,fd=13))
LISTEN    0         128               127.0.0.1:2022               0.0.0.0:*
LISTEN    0         4096              127.0.0.1:10023              0.0.0.0:*
LISTEN    0         100               127.0.0.1:53193              0.0.0.0:*        users:(("python3",pid=29520,fd=22))
LISTEN    0         100               127.0.0.1:36717              0.0.0.0:*        users:(("python3",pid=29520,fd=15))
LISTEN    0         511                 0.0.0.0:80                 0.0.0.0:*
LISTEN    0         100               127.0.0.1:41459              0.0.0.0:*        users:(("python3",pid=29520,fd=37))
LISTEN    0         100               127.0.0.1:33111              0.0.0.0:*        users:(("python3",pid=29520,fd=11))
LISTEN    0         100               127.0.0.1:33337              0.0.0.0:*        users:(("python3",pid=29520,fd=27))
LISTEN    0         128               127.0.0.1:8889               0.0.0.0:*        users:(("jupyter-noteboo",pid=28129,fd=4))
LISTEN    0         100                 0.0.0.0:25                 0.0.0.0:*
LISTEN    0         4096              127.0.0.1:8891               0.0.0.0:*
LISTEN    0         511                 0.0.0.0:443                0.0.0.0:*
LISTEN    0         4096                  [::1]:10023                 [::]:*
LISTEN    0         511                    [::]:80                    [::]:*
LISTEN    0         128                   [::1]:8889                  [::]:*        users:(("jupyter-noteboo",pid=28129,fd=5))
LISTEN    0         511                    [::]:443                   [::]:*

Login to first client

From the remote server connect to the first client:

$ ssh localhost -p 2022
Linux deb11 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct  9 16:08:00 2021 from ::1
       _,met$$$$$gg.          cees@deb11
    ,g$$$$$$$$$$$$$$$P.       ----------
  ,g$$P"     """Y$$.".        OS: Debian GNU/Linux 11 (bullseye) x86_64
 ,$$P'              `$$$.     Host: Parallels Virtual Platform None
',$$P       ,ggs.     `$$b:   Kernel: 5.10.0-9-amd64
`d$$'     ,$P"'   .    $$$    Uptime: 52 secs
 $$P      d$'     ,    $$P    Packages: 1891 (dpkg)
 $$:      $$.   -    ,d$$'    Shell: zsh 5.8
 $$;      Y$b._   _,d$P'      Resolution: 1024x768
 Y$$.    `.`"Y$$$$P"'         Terminal: /dev/pts/0
 `$$b      "-.__              CPU: Intel i9-9880H (2) @ 2.304GHz
  `Y$$                        GPU: 01:00.0 Red Hat, Inc. Virtio GPU
   `Y$$.                      Memory: 465MiB / 3923MiB
     `$$b.
       `Y$$b.
          `"Y$b._
              `"""
<
Previous Post
Github actions
>
Next Post
Puzzler