ISMS Consulting

Fun With SSH Reverse Shells

Reading Time: < 1 minute

Last Updated on May 28, 2010

Ever need to work on a remote computer which is behind a typical firewall. Well if there is no inbound connectivity, you can play a bit of leap frog using ssh in order to gain access to that server. Here’s a quick example.
For this example we’ll assume you are sitting at Host A and would like to have access to Internal Host C. Both firewalls are assumed to allow ssh traffic out.
Our goal here is to have the Internal Host C machine start an ssh session to External Host B (which is on the internet).
SSH -R 2200:localhost:22 [email protected]
This will start an ssh session from Internal Host C to External Host B and ask the ssh daemon to forward all traffic on External Host B’s port 2200 back to Internal Host C’s port 22 over the established ssh session.
Now If I were on External Host B, to get a shell on Internal Host C all I’d have to do is:
SSH -p 2200 [email protected]
Now the USER in the above statement would have to be a valid user on Internal Host C, not External Host B.
To connect from Host A to Internal Host C you can do several things. The easiest is to leap frog.
SSH [email protected]
Then
SSH -p 2200 [email protected]
The first session opens a shell on External Host B. The second opens a shell on Internal Host C by connecting to the reverse shell we started in the first command.
This has been a simple reverse shell ssh post. Stay tuned for more port forwarding fun.

Back to list

Related Posts

3 thoughts on “Fun With SSH Reverse Shells

  1. Ben says:

    Finally I have been trying to figure this out for a long time. Great article!

  2. Tomasz says:

    Thanks a lot!

  3. letmein says:

    Yep but in this way Internal Host C need to have ssh client installed. What i want to get a reverse shell from Internal Host C to Host A creating a reverse ssh tunnel from Host B ?
    Host C -> Host B Host A
    Could someone help me ?

Leave a Reply

Your email address will not be published.