Hi,

Thanks for the awesome project, really neat.
I picked it up from this Talos blogpost , but when searched for it, the result was two repos with identical name and almost same functionalities baked in:

• obviously this repo
• and this one reverse-ssh

So... I suppose it's a coincidence, but still the projects are very similar and I got confused.

Cheers,
PY

It works great! : D

Very good work ... you can close the task hehe: D

Do you have paypal???

Is there a way to specify the identifier of the client, so that when a large number of clients connect, we can easily know which one is who

Hi
I tried to use scp and sftp
but i couldn't
unknown command -J

Why cant we use hostname and/or IP for connecting/running commands and doing all the jazz?

We should only have to use the random ID if there is such a bad collision that none of those are unique,

can't make

reverse_ssh$ make

+--[ED25519 256]--+
|@=*O*o           |
|o=.++  o         |
|+.+ + * .        |
|o+ + % =         |
|o o O O S        |
| E + B o         |
|    + .          |
|   . o           |
|   .+            |
+----[SHA256]-----+
touch bin/authorized_controllee_keys
go build -ldflags="" -o bin ./...
build golang.org/x/sys/windows: cannot load golang.org/x/sys/windows: no Go source files
make: *** [Makefile:10: debug] Error 1

Currently a user can only exec RSSH specific commands, they should be able to execute shell commands on the target clients as well.

E.g

ssh rssh.server 09deadbeef238... ls

ssh -t rssh.server 09deadbeef238...  htop

When executing some rssh specific commands directly from ssh, e.g ssh rssh.server help, the commands do not work due to missing decoupling work.
This should be fixed to provide the full range of rssh features to the terminal.

Currently broken handlers:

• Local forwarding does not work due to current limitations of how RSSH manages client sessions.
• Remote forwarding also fails due to the server session dying once exec has been completed
• Help does not work due to tightly coupled functionality with the vterm

Currently not as good as they could be:

• Connect currently has a lot of footguns, where elements that use to always be initialized may now be nil. This should be rethought if possible

Support for standard SSH remote port forwarding, e.g.

> ssh catcher -R 1234:localhost:1234
...
catcher$ ...

Should easily support one-to-many. I.e it should be trivial to remote-forward the port to several controllable clients simultaneouslhy, or also even every client in just one command.

In a few 'engagements' I have needed to replace a windows service binary to hijack the account running the service. reverse_ssh golang clients compiled for windows do not respond to the start/status requests made by the windows service system, so do not start properly and are quickly killed.

To get around this, I have built basic .NET windows service projects that simply call the reverse_ssh binary on start, but this is a bit annoying.

The x/sys golang library suports creating windows services - this issue proposes that this functionality be built into the windows client build so that the windows client can serve both as a standalone executable and a windows service as needed - there is a .IsWindowsService method in this library that should be able to change the operating mode based on context

I'm using this tool to remote control some of my IOT gateways, and they are connected with a pay-per-use mobile connection. The currently hardcoded keepalive interval is set to 5 seconds, each time generating 304 bytes. This amounts to 5MB / day, which is a lot in this scenario.

It would be great, if this interval could be configured via command line parameter (or config file).

With OpenSSH 9.0 scp is now actually sftp under the hood. We should implement that.
The work around currently is to use the -O flag on scp.

Hi,

I'm trying to run the latest version, but the server is failing to start with:

└─$ ./server 0.0.0.0:3232
2022/04/18 21:11:22 Listening on 0.0.0.0:3232
2022/04/18 21:11:22 Failed to load private key (id_ed25519): open id_ed25519: no such file or director

Not sure what the problem is, but seems like commit 7d8fee3 broke it.
Copying the private_key from internal/client/keys/private_key to bin/id_ed25519 seems to be a workaround.

Cheers,
PY

Allow a user to specify the shell when they connect. E.g. connect --shell=/bin/zsh foo.bar and connect --shell=/bin/bash foo.bar.

Eventually, this could re-open the door to allow the embedding of things like Busybox. So, a user might be allowed to embed my-favorite-sh into the client binary, and run connect --shell=my-favourite-sh foo.bar. The RSSH client would then execute this in-memory.

Currently, the lonk .sh helper relies on the #!/bin/bash shebang. This breaks in distros like Alpine which don't have bash, and instead have ash. In these distros, the script falls back to plain sh and do a sad, due to bash-specific syntax.

Suggestions:

• Alter the script to be compatible with plain sh
• Maybe even detect the busybox wget user-agent and change to #!/bin/ash as a lazy quick fix?

The Rssh client binary currently allows proxy, scp and shell functionality.
A good feature would be allowing these to be disabled/enabled selectively either on compilation or via command line flags.

Just a little note to myself about things to potentially add to the windows client

- steal_token - steal user's token
- make_token - to create a token with credentials
- spwanas - spawn a shell with alternate credentials

- psexec - run command via new service
- winrm    - run powershell expression via winrm (powershell)
- wmi - run command via WMI (powershell)

As the title says, when links are created, they embed the current external address into the binary. However, if you restart the server and change the external address (common on OSCP, CTFs, etc. where you may have a different IP/port for each service), they keep the previous embedded address, rather than it being rebuilt with the new address.

If this is intended, it'd be nice for the links to display what address they have embedded within them inside the server menu.

Basic shell causes the cmd to be echo'd, but we know the size of our command so just trim the first output.

Hi,

When I try to generate a 32 bit client via the catcher$, it fails with:

catcher$ link --name payload32 --goos windows --goarch 386        
Error: exit status 2
# github.com/NHAS/reverse_ssh/pkg/winpty
../pkg/winpty/embed_386.go:13:14: undefined: embed
../pkg/winpty/embed_386.go:17:9: undefined: windows
../pkg/winpty/embed_386.go:43:15: undefined: os
../pkg/winpty/embed_386.go:43:39: undefined: errors
../pkg/winpty/embed_386.go:43:54: undefined: os
../pkg/winpty/embed_386.go:44:33: undefined: path
../pkg/winpty/embed_386.go:48:9: undefined: ioutil
../pkg/winpty/embed_386.go:54:15: undefined: os
../pkg/winpty/embed_386.go:54:41: undefined: errors
../pkg/winpty/embed_386.go:54:56: undefined: os
../pkg/winpty/embed_386.go:54:56: too many errors

Not sure how to continue with the troubleshooting.
Cheers,
PY

It would be a nice feature if you could just specify the first few characters of the connection ID, similar to how Docker containers work with the first few characters, rather than needing to copy and paste the entire ID to use that :)

First of all let me thank you for this ridiculously awesome reverse shell. 😄 It's so useful!

But I discovered a problem after transferring the client to another machine and running it:

$ ./rssh -h
./rssh: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./rssh)
./rssh: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./rssh)

This is because the glibc version on my build machine is another than the glibc version available on the target. I'm not a Go programmer and was a bit confused, why C and isn't it supposed to be a single static binary?

I found an answer then and CGO_ENABLED=0 make client produces a perfectly functioning client, statically compiled, without C dependencies.

I think it is crucial for the reverse_ssh client to be compatible with environments you don't control. So I would like to propose adding CGO_ENABLED=0 to the Makefile (or at least document it for people not familiar with Go internals).

I don't know if this has any drawbacks. I expected the client to be larger in size, but actually it is smaller than the client linked to glibc.

Hi, I'm quite new to this reverse_ssh tool so I'm not sure if my setup is right, I'm having some issue where I can't connect to any currently connected RSSH clients

Setup

I already tested normal ssh connection from all clients to servers and server's authorized_keys already contains public keys from client

- Server:

$ ./server --insecure 0.0.0.0:3235
2022/08/10 02:50:21 Version:  v1.0.5-2-geec2410
2022/08/10 02:50:21 Listening on 0.0.0.0:3235
2022/08/10 02:50:21 Loading private key from: id_ed25519 (/home/ubuntu/reverse_ssh/bin/id_ed25519)
2022/08/10 02:50:21 Server key fingerprint:  96c8a4a14f15d6e4d0472b9c3010ce870b4523d1c648623ec7b4aefa236d4e3f
2022/08/10 02:50:21 Loading authorized keys from: authorized_keys

port 3235 is open

$ netstat -na | grep :3235
tcp6       0      0 :::3235                 :::*                    LISTEN   

- RSSH Client
(server IP masked with ****)

$ ./client --foreground ****:3235
2022/08/10 09:50:36 Connecting to  ****:3235
2022/08/10 09:50:37 [client] WARNING client.go:117 func1() : No server key specified, allowing connection to ****:3235
2022/08/10 09:50:38 Successfully connnected ****:3235

After issuing ./client , server side log says:

$ ./server --insecure 0.0.0.0:3235
2022/08/10 02:50:21 Version:  v1.0.5-2-geec2410
2022/08/10 02:50:21 Listening on 0.0.0.0:3235
2022/08/10 02:50:21 Loading private key from: id_ed25519 (/home/ubuntu/reverse_ssh/bin/id_ed25519)
2022/08/10 02:50:21 Server key fingerprint:  96c8a4a14f15d6e4d0472b9c3010ce870b4523d1c648623ec7b4aefa236d4e3f
2022/08/10 02:50:21 Loading authorized keys from: authorized_keys
2022/08/10 02:50:38 INFO sshd.go:331 acceptConn() : New controllable connection with id 6763e31fe6477084c2910ff515515d55cbc8df29

Problem

All is fine and good so far , however when it comes to Human Client side listing out connected targets in server, nothing is output
$ ssh **** -p 3235 help
--> Just blank, no output

$ ssh **** -p 3235 ls -t
--> Just blank, no output

Logs from Server side:
2022/08/10 03:09:33 INFO sshd.go:331 acceptConn() : New controllable connection with id ebad83c1e19638b9ecbf1cc9acef871c7aba5a55

Normal ssh works fine

At this point I'm not sure if reverse_ssh is running correctly or if I have to do any additional setup in term of SSH config so would be great if anyone can help me out with this

It is often desirable to open a reverse_ssh server up to the world, however only certain clients should be allowed to connect to it.

It would be useful to have password/token based authentication, passed with a flag (such as ./client myserver:222 --auth hunter2) or public key auth with an adjacent key file.

Cheers :)

Hi,
When I try to change directory in windows client I can't change directory. Any suggestions?

Currently, bash script links (ending in .sh), try and temporarily write the file in whatever directory it is run.
However, often when popping web RCE, the invoking user doesn't have permission to write in the current directory.
It would be cool if the script were to first try other folders like /tmp, /dev/shm, etc, before resorting to writing in the current directory.

Thank :)

I want to be able to do ssh localhost ls beans* and have it filter for all things that start with that prefix, as it makes sense to be able to do that.

Seeing what clients are connected continously, rather than having to do ls would be good!

Hi,

I love your project, thank you for supporting and developing it.
Something cool that may improve the opsec during engagement is having the client obfuscation.

I've just came across this project -https://github.com/burrowers/garble
Also this post showing practical usage of it:
https://posts.specterops.io/get-your-socks-on-with-gtunnel-4a70a9b82b24

What do you think ?

Cheers,
PY

I mean.... why not?

And the answer is because I forgot to do this

For some reason when copy and pasting into the shellhost connection, it prints out a number of empty lines.

I really like that you've added webhook support. There are two things that make it unnecessarily difficult to use, however:

1. The suffix rssh_webhook is added to the webhook. This is a problem, as, e.g., Slack and Mattermost generate webhooks to use, and they don't expect that the generated webhook is appended with a suffix (and therefore break). Can this be removed?
2. Slack (and Mattermost, which is similar) expect the main text message to be transmitted in the text key/value of the payload. It would be great if this key could be added to contain a summary of the event. This would allow users to directly display events in Slack/Mattermost without requiring further ingress processing. It could also be a switch that can be set while adding a webhook.

Connecting via hostname does not work if the hostname includes a dash.

catcher$ connect root.foobar-1f1234
root.foobar-1f1234 Not found.

Connecting via ID or IP works fine.

Apparently this only applies to connect and connection via JumpHost. Using exec, however, works as expected, i.e., it resolves the hostname just fine.

When not using the --foreground flag, the process appears to go into background. However if the parent process is killed the child dies too.

Windows must be doing something different than linux.

I use the client to remote control some IoT gateways. They have very limited storage capacity for the overlay file system, so every MB counts. Now I have to manually compress the client binaries with upx, which is why I can't use the builtin link feature of the server. It would be great if the link command could optionally compress the generated client binary with upx. As for the location of the upx binary, it could be expected to be in the same directory as the server binary, i.e., ./upx.

I saw that you once had upx activated for the release target, but then removed it due to concerns with AV. Can you elaborate a bit on this? Thanks!

The windows shell needs a lot of love ever since removing my attempt at a fancy shell for it.

Things we need that are currently missing:

• Autocomplete
• Fancy Colors
• Better CTRL-C
• Powershell beans

Code version: latest
Test environment: kali 2022.01

When I repeatedly connect the client on the server side in a short period of time, the client and server will be disconnected, and the client cannot continue to work and reconnect.
This kind of problem also occurs in mobaxterm. After connecting to the jump client for many times, the client cannot work. What is the reason?

Hi... would you know how to solve it?

ssh [email protected] -p 44500
PTY allocation request failed on channel 0
shell request failed on channel 0

in server side:
[127.0.0.1:53800] INFO server.go:181 acceptConn() : New SSH connection, version SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
[127.0.0.1:53800] INFO global.go:98 RegisterChannelCallbacks() : Handling channel: session
[127.0.0.1:53800] INFO session.go:30 Session() : Session got request: "pty-req"
[127.0.0.1:53800] WARNING session.go:61 Session() : Unsupported request pty-req
[127.0.0.1:53800] INFO session.go:30 Session() : Session got request: "env"
[127.0.0.1:53800] WARNING session.go:61 Session() : Unsupported request env
[127.0.0.1:53800] INFO session.go:30 Session() : Session got request: "shell"
[127.0.0.1:53800] WARNING session.go:61 Session() : Unsupported request shell
[127.0.0.1:53800] INFO session.go:68 Session() : Session disconnected: SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
[127.0.0.1:53800] INFO server.go:199 func1() : User disconnected: connection terminated

Regards. :D

as REAME flow both of that two file will be same content ,but when i try start the server ,told me ssh-ed25519 �Y���K��+��bwB ���\�A� is present in both authorized_controllee_keys and authorized_keys. It should only be in one.
what's wrong

It would be cool to embed the busybox toolkit in a way it could be used as a fallback shell. This is useful if you're popping a lightweight/distroless container with limited or no tooling, or, if you don't want to invoke any of the existing tools on a box.

This absolute path will cause failure when the system is not installed in the windows directory under the C drive

Use kill * rather than kill all

Previous changes changed to using SHA1 for identifying clients. However this had the knock on effect of changing how the server prints out its public key

Not sure how complicated it would be to add but it could be useful to add tuntap support (ssh -w) similar to ligolo as an alternative to using a socks proxy, different tool or manually configuring a tunnel back to the bastion.

Edit: I'm not sure how you give issues a label, github wouldn't let me assign one