The PPS "Techno-Blog"

Fun With SSH Reverse Shells

 Email Article |  digg it |   delicious |   StumbleUpon |   LinkedIn |  reddit 

Authored by Mike Gargiullo, Sr. Security Consultant, Pivot Point Security

Ever need to work on a remote computer which is behind a typical firewall. Well if there is no inbound connectivity, you can play a bit of leap frog using ssh in order to gain access to that server. Here's a quick example.

For this example we'll assume you are sitting at Host A and would like to have access to Internal Host C. Both firewalls are assumed to allow ssh traffic out.

Our goal here is to have the Internal Host C machine start an ssh session to External Host B (which is on the internet).

SSH -R 2200:localhost:22 User@ExternalHostB

This will start an ssh session from Internal Host C to External Host B and ask the ssh daemon to forward all traffic on External Host B's port 2200 back to Internal Host C's port 22 over the established ssh session.

Now If I were on External Host B, to get a shell on Internal Host C all I'd have to do is:

SSH -p 2200 User@localhost

Now the USER in the above statement would have to be a valid user on Internal Host C, not External Host B.

To connect from Host A to Internal Host C you can do several things. The easiest is to leap frog.

SSH USER@ExternalHostB

Then

SSH -p 2200 USER@localhost

The first session opens a shell on External Host B. The second opens a shell on Internal Host C by connecting to the reverse shell we started in the first command.

This has been a simple reverse shell ssh post. Stay tuned for more port forwarding fun.