Reverse Shells With Terminal Support: revsh

ID N0WHERE:27275
Type n0where
Reporter N0where
Modified 2015-02-15T19:48:35


_ revsh _ is a tool for establishing reverse shells with terminal support, reverse VPNs for advanced pivoting , as well as arbitrary data tunneling. A reverse shell is a network connection that grants shell access to a remote host. As opposed to other remote login tools such as telnet and ssh , a reverse shell is initiated by the remote host. This technique of connecting outbound from the remote network allows for circumvention of firewalls that are configured to block inbound connections only.

A bind shell is a shell that is served from a normal forward network connection. _ revsh _ supports both reverse and bind shells. To invoke a bind shell, either call _ revsh _ with the _ -b _ flag on both ends of the connection, or call the binary as ‘bindsh’.

Can’t I just use netcat ?

There are many techniques for establishing a reverse shell, but these methods don’t provide terminal support. _ revsh _ allows for a reverse shell whose connection is mediated by a pseudo-terminal , and thus allows for features such as:

In addition, _ revsh _ also offers the following features:

  • UTF-8 support.
  • Circumvents utmp / wtmp . (No login recorded.)
  • Processes rc file commands upon login for easy scripting.
  • OpenSSL encryption with key based authentication baked into the binary.
  • Anonymous Diffie-Hellman encryption upon request.
  • Ephemeral Diffie-Hellman encryption as default. (Now with more Perfect Forward Secrecy !)
  • Cert pinning for protection against sinkholes and mitm counter-intrusion.
  • Connection timeout for remote process self-termination.
  • Randomized retry timers for non-predictable auto-reconnection.
  • Netcat style non-interactive data brokering for file transfer.
  • Proxy support: point-to-point, SOCKS 4, SOCKS 4a, and SOCKS 5. Proxys are available in both directions for complete flexibility.
  • TUN / TAP support for forwarding raw IP packets / Ethernet frames.
  • Escape sequence commands to kill non-responsive nodes, or print connection statistics.

_ revsh _ is intended as a supplementary tool for a pentester’s toolkit that provides the full set of terminal features across an encrypted tunnel. All together in a small (~50k) easy to use binary.

Where can I use _ revsh _ ?

_ revsh _ was developed on x86_64 Linux. Here is a brief list of Arch / OS combinations that it has been used on:

  • x86_64 Linux
  • i686 Linux
  • amd64 FreeBSD

(If you have successfully used revsh on another platform, drop me a line and I’ll add it to the list.)


empty@monkey:~$ revsh -h


  -c           Run in "command and control" mode.             (Default is target mode.)
  -a           Enable Anonymous Diffie-Hellman mode.          (Default is Ephemeral Diffie-Hellman.)
  -d KEYS_DIR  Reference the keys in an alternate directory.  (Default is "~/.revsh/keys/".)
  -f RC_FILE   Reference an alternate rc file.                (Default is "~/.revsh/rc".)
  -s SHELL     Invoke SHELL as the remote shell.              (Default is "/bin/bash".)
  -F LOG_FILE  Log general use and errors to LOG_FILE.        (No default set.)

  -t SEC       Set the connection timeout to SEC seconds.     (Default is "3600".)
  -r SEC1,SEC2 Set the retry time to be SEC1 seconds, or      (Default is "600,1200".)
               to be random in the range from SEC1 to SEC2.

  -k           Run in keep-alive mode. Node will neither
               exit normally, nor seppuku from timeout.
               Static socket forwarding with a local
               listener at LHOST:LPORT forwarding to
               Static socket forwarding with a remote
               listener at RHOST:RPORT forwarding to
               Dynamic socket forwarding with a local
               listener at LHOST:LPORT.                       (Socks 4, 4a, and 5. TCP connect only.)
               Dynamic socket forwarding with a remote
               listener at LHOST:LPORT.                       (Socks 4, 4a, and 5. TCP connect only.)
  -x           Disable automatic setup of proxies.            (Defaults: Proxy D2280 and tun/tap devices.)
  -b           Start in bind shell mode.                      (Default is reverse shell mode.)
               The -b flag must be invoked on both ends.
  -n           Non-interactive netcat style data broker.      (Default is interactive w/remote tty.)
               No tty. Useful for copying files.
  -v           Verbose. -vv and -vvv increase verbosity.
  -h           Print this help.
  -e           Print out some usage examples.

  ADDRESS      The address of the control listener.           (Default is "".)
  PORT         The port of the control listener.              (Default is "2200".)

Reverse Shells With Terminal Support: revsh Download