Reverse Shells With Terminal Support: revsh
2015-02-15T19:48:35Type n0where
Reporter N0where
Modified 2015-02-15T19:48:35
Description
_ revsh _ is a tool for establishing reverse shells with terminal support, reverse VPNs for advanced pivoting , as well as arbitrary data tunneling. A reverse shell is a network connection that grants shell access to a remote host. As opposed to other remote login tools such as telnet and ssh , a reverse shell is initiated by the remote host. This technique of connecting outbound from the remote network allows for circumvention of firewalls that are configured to block inbound connections only.
A bind shell is a shell that is served from a normal forward network connection. _ revsh _ supports both reverse and bind shells. To invoke a bind shell, either call _ revsh _ with the _ -b _ flag on both ends of the connection, or call the binary as ‘bindsh’.
Can’t I just use netcat ?
There are many techniques for establishing a reverse shell, but these methods don’t provide terminal support. _ revsh _ allows for a reverse shell whose connection is mediated by a pseudo-terminal , and thus allows for features such as:
- job control
- control character processing (e.g Ctrl-C )
- auto-completion
- support for programs requiring a controlling tty (e.g. sudo )
- processing of window re-size events
In addition, _ revsh _ also offers the following features:
- UTF-8 support.
- Circumvents utmp / wtmp . (No login recorded.)
- Processes rc file commands upon login for easy scripting.
- OpenSSL encryption with key based authentication baked into the binary.
- Anonymous Diffie-Hellman encryption upon request.
- Ephemeral Diffie-Hellman encryption as default. (Now with more Perfect Forward Secrecy !)
- Cert pinning for protection against sinkholes and mitm counter-intrusion.
- Connection timeout for remote process self-termination.
- Randomized retry timers for non-predictable auto-reconnection.
- Netcat style non-interactive data brokering for file transfer.
- Proxy support: point-to-point, SOCKS 4, SOCKS 4a, and SOCKS 5. Proxys are available in both directions for complete flexibility.
- TUN / TAP support for forwarding raw IP packets / Ethernet frames.
- Escape sequence commands to kill non-responsive nodes, or print connection statistics.
_ revsh _ is intended as a supplementary tool for a pentester’s toolkit that provides the full set of terminal features across an encrypted tunnel. All together in a small (~50k) easy to use binary.
Where can I use _ revsh _ ?
_ revsh _ was developed on x86_64 Linux. Here is a brief list of Arch / OS combinations that it has been used on:
- x86_64 Linux
- i686 Linux
- amd64 FreeBSD
(If you have successfully used revsh on another platform, drop me a line and I’ll add it to the list.)
Usage
empty@monkey:~$ revsh -h
Control: revsh -c [CONTROL_OPTIONS] [MUTUAL_OPTIONS] [ADDRESS[:PORT]]
Target: revsh [TARGET_OPTIONS] [MUTUAL_OPTIONS] [ADDRESS[:PORT]]
CONTROL_OPTIONS:
-c Run in "command and control" mode. (Default is target mode.)
-a Enable Anonymous Diffie-Hellman mode. (Default is Ephemeral Diffie-Hellman.)
-d KEYS_DIR Reference the keys in an alternate directory. (Default is "~/.revsh/keys/".)
-f RC_FILE Reference an alternate rc file. (Default is "~/.revsh/rc".)
-s SHELL Invoke SHELL as the remote shell. (Default is "/bin/bash".)
-F LOG_FILE Log general use and errors to LOG_FILE. (No default set.)
TARGET_OPTIONS:
-t SEC Set the connection timeout to SEC seconds. (Default is "3600".)
-r SEC1,SEC2 Set the retry time to be SEC1 seconds, or (Default is "600,1200".)
to be random in the range from SEC1 to SEC2.
MUTUAL_OPTIONS:
-k Run in keep-alive mode. Node will neither
exit normally, nor seppuku from timeout.
-L [LHOST:]LPORT:RHOST:RPORT
Static socket forwarding with a local
listener at LHOST:LPORT forwarding to
RHOST:RPORT.
-R [RHOST:]RPORT:LHOST:LPORT
Static socket forwarding with a remote
listener at RHOST:RPORT forwarding to
LHOST:LPORT.
-D [LHOST:]LPORT
Dynamic socket forwarding with a local
listener at LHOST:LPORT. (Socks 4, 4a, and 5. TCP connect only.)
-B [RHOST:]RPORT
Dynamic socket forwarding with a remote
listener at LHOST:LPORT. (Socks 4, 4a, and 5. TCP connect only.)
-x Disable automatic setup of proxies. (Defaults: Proxy D2280 and tun/tap devices.)
-b Start in bind shell mode. (Default is reverse shell mode.)
The -b flag must be invoked on both ends.
-n Non-interactive netcat style data broker. (Default is interactive w/remote tty.)
No tty. Useful for copying files.
-v Verbose. -vv and -vvv increase verbosity.
-h Print this help.
-e Print out some usage examples.
ADDRESS The address of the control listener. (Default is "0.0.0.0".)
PORT The port of the control listener. (Default is "2200".)
