Jump to content

Reverse SSH pain


Recommended Posts

Hi all

After watching the episodes from Hak5 and chriswhat i still dont get my reverse ssl shell working...

Can somebody help out?

On my PIneapple (3g connection) i use:

ssh -p 3333 root@80.218.xx.xx 1471:localhost:1471

On my home router 80.218.xx.xx i opended the ports 3333 and 1471 to a raspberryPi with raspian loaded.

On my Raspian i added the Pinapple as trusted device, so it connects without password promt.

I changed the standart ssh port to 3333.

After the pineapple connects i use this on my Pi:

ssh -p 1471 root@localhost

and gets:

socket: Address family not supported by protocol
ssh: connect to host localhost port 1471: Address family not supported by protocol
I have some mixup i think....
Link to comment
Share on other sites

can you test this inside the local network... don't involve the router and port forwarding just yet...

when I run into these kinds of problems ill start my test with netcat to duplicate the task with hi world examples...

You have one machine( listening on a port that provides console access

nc -l -p 22

And machine two( connecting to the first machine with intentions of using the console service

Nc 22

And then test that the connection works by typing 'hi world from machine2'

At this point you know that anything can now be accomplished threw this tcp stream...

so you want a connect back? your machine 1 connects to machine 2 on port 3333 and slides in the data existing on port 22?

I can help you recreate this, at the moment I'm away from my puters

So if you interested, look online for ssh pipe with netcat. I have found better luck with pipes abd nc

Link to comment
Share on other sites

On the most examples here, on the wiki etc. its explained with this method, so i dont want to reinvent the wheel and i keep trying that way. Also it exits a infusion with support, and it seems to work.

On my local network i can acces my Pineapple on port 22 and my Raspberry on 3333 with ssh., So it seems to work.

With my PIneapple attached on 3g i can reach my Router/Raspberry too.

Pineapple 3g Router RaspberryPi

ssh port 3333 ---------------->port forward 3333,1471 to ----------------->

ssh -p 3333 root@80.218.xx.xx

This works.

Now i want to login to the RaspberryPi and connect back to the Pineapple and forward the web UI, like described in many threads and wikis:





I would love to use the Infusion but would be also happy with a command...

Settings used in the Infusion:
Host: root@80.218.xx.xx


Listen Port:1471

It shows connected.

Then i can ssh in the raspberry and again ssh to localhost:1471 with no luck....

command used:

ssh root@host -L 1471:localhost:1471

Link to comment
Share on other sites

I'm having a little trouble following you, but those look like pretty good tutorials and explanations. I also thought Darren did an excellent job on this topic in season 11 (1112 and 1113) Are you using a RaspberryPi wwith an SSH server to emulate a "relay server" on the internet? If so, it appears that you've connected, though not tunneled or port forwarded to your RaspberryPi.

The ssh comand I use would be something like:

ssh -i /root/.ssh/id_rsa -N -T -R 1471:localhost:1471 -R 3322:localhost:22 tunneluser@miyagipi.org -p 3333

This would create one tunnel, no shell, and two port forwards from your pineapple to your RasberryPi (which you say has SSH on port 3333). I don't know why you put SSH on port 3333, but it doesn't matter. Now, on your raspberryPi, the pineapple's UI port 1471 is available on raspberryPi localhost port 1471, and the pineapple's SSH port (22) is available on the raspberryPi's localhost port 3322. (-R forwards from here to there.)

So, to use this tunnel from someplace else, say your laptop running putty (for variety) I would do it differently for SSH and http. For the UI, I would create another tunnel with a single port forward from my laptop (-L forwards from there to here):

plink.exe -N -L 1471:localhost:1471 tunneluser@miyagipi.org -P 3333

(This assumes I'm using pagent to provide the SSH key. Also note that putty/plink uses -P where SSH uses -p.)

Then (on my laptop) I browse to: http://localhost:1471/

You could do exactly the same thing for SSH, but you could also create a single putty session (or configure an SSH session) to do it in one comand.

Note that the only place I'm using the root user is on the pineapple. Also note that I'm using SSH keys instead of username passwords; I find that much easier in the long run. Also, to see what command the infusion is using: cat /etc/config/autossh

I hope this is useful to you. If not, I hope it is useful to someone else.

Edited by fringes
Link to comment
Share on other sites

Thanks a lot!

ssh -i /root/.ssh/id_rsa -N -T -R 1471:localhost:1471 -R 3322:localhost:22 tunneluser@miyagipi.org -p 3333

This command worked well for ssh and http.

And im not sure, but i think not using the "standard" ports, sometime is more secure...

You're welcome. I hope you'll spend some time learning more about these commands. They're very useful and when implimented correctly, quite secure. I hope you're tunnelling in from your laptop to the Pi with the -L (local) port forwards, and not just connecting directly on the Pi. You could be ussing SSH and still have a very insecure setup.

I use different ports mostly when I'm port forwarding the same services from different hosts onto the same firewall IP and I simply have to. But when I'm scanning for vulnerabilities, I don't think finding a service on a non-standard port slows me down much. It might make it less likely to show up in a Shodan search though.

Edited by fringes
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...