_ revsh _ is a tool for establishing reverse shells with terminal support, reverse VPNs for advanced pivoting , as well as arbitrary data tunneling. A reverse shell is a network connection that grants shell access to a remote host. As opposed to other remote login tools such as telnet and ssh , a reverse shell is initiated by the remote host. This technique of connecting outbound from the remote network allows for circumvention of firewalls that are configured to block inbound connections only.
A bind shell is a shell that is served from a normal forward network connection. _ revsh _ supports both reverse and bind shells. To invoke a bind shell, either call _ revsh _ with the _ -b _ flag on both ends of the connection, or call the binary as ‘bindsh’.
Can’t I just use netcat ?
There are many techniques for establishing a reverse shell, but these methods don’t provide terminal support. _ revsh _ allows for a reverse shell whose connection is mediated by a pseudo-terminal , and thus allows for features such as:
In addition, _ revsh _ also offers the following features:
_ revsh _ is intended as a supplementary tool for a pentester’s toolkit that provides the full set of terminal features across an encrypted tunnel. All together in a small (~50k) easy to use binary.
_ revsh _ was developed on x86_64 Linux. Here is a brief list of Arch / OS combinations that it has been used on:
(If you have successfully used revsh on another platform, drop me a line and I’ll add it to the list.)
empty@monkey:~$ revsh -h Control: revsh -c [CONTROL_OPTIONS] [MUTUAL_OPTIONS] [ADDRESS[:PORT]] Target: revsh [TARGET_OPTIONS] [MUTUAL_OPTIONS] [ADDRESS[:PORT]] CONTROL_OPTIONS: -c Run in "command and control" mode. (Default is target mode.) -a Enable Anonymous Diffie-Hellman mode. (Default is Ephemeral Diffie-Hellman.) -d KEYS_DIR Reference the keys in an alternate directory. (Default is "~/.revsh/keys/".) -f RC_FILE Reference an alternate rc file. (Default is "~/.revsh/rc".) -s SHELL Invoke SHELL as the remote shell. (Default is "/bin/bash".) -F LOG_FILE Log general use and errors to LOG_FILE. (No default set.) TARGET_OPTIONS: -t SEC Set the connection timeout to SEC seconds. (Default is "3600".) -r SEC1,SEC2 Set the retry time to be SEC1 seconds, or (Default is "600,1200".) to be random in the range from SEC1 to SEC2. MUTUAL_OPTIONS: -k Run in keep-alive mode. Node will neither exit normally, nor seppuku from timeout. -L [LHOST:]LPORT:RHOST:RPORT Static socket forwarding with a local listener at LHOST:LPORT forwarding to RHOST:RPORT. -R [RHOST:]RPORT:LHOST:LPORT Static socket forwarding with a remote listener at RHOST:RPORT forwarding to LHOST:LPORT. -D [LHOST:]LPORT Dynamic socket forwarding with a local listener at LHOST:LPORT. (Socks 4, 4a, and 5. TCP connect only.) -B [RHOST:]RPORT Dynamic socket forwarding with a remote listener at LHOST:LPORT. (Socks 4, 4a, and 5. TCP connect only.) -x Disable automatic setup of proxies. (Defaults: Proxy D2280 and tun/tap devices.) -b Start in bind shell mode. (Default is reverse shell mode.) The -b flag must be invoked on both ends. -n Non-interactive netcat style data broker. (Default is interactive w/remote tty.) No tty. Useful for copying files. -v Verbose. -vv and -vvv increase verbosity. -h Print this help. -e Print out some usage examples. ADDRESS The address of the control listener. (Default is "0.0.0.0".) PORT The port of the control listener. (Default is "2200".)