[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Reverse Shell?

Jacob S wrote:
> I have a friend that I'm helping upgrade Debian on their desktop. This
> friend is not very computer literate - even in Windows. So they're
> having a problem that I need to troubleshoot, but they're behind a
> firewall so I can't ssh into their computer.
> There are not currently any ports forwarded from the firewall to this
> computer and we do not have any access to the firewall to enable
> something like this, either. What I am hoping is that I can have them
> establish an ssh connection into my firewall with some software that
> would then allow me to get a shell on their computer.

If the firewall is a corporate security measure then almost certainly
this type of access is not allowed by the employer.  Most company's
contracts say that tunneling past security measures are grounds for
termination.  I am saying this because if your friend is behind a
firewall that they do not control and also not very computer literate
they are probably not aware of the issues and might put themselves
into a bad situation without knowing it.  You might need to make a
trip with them to their actual machine.  That is usually allowed
because the access is supervised.  But of course every employer has
different rules.

If this were a simple home firewall such as a cable modem router then
the easiest thing would be to open the ssh port so that you could log
into their computer.

However if that is difficult, the security issues understood, then you
can open a tunnel with ssh from their machine to yours.  You could
follow the tunnel back to their machine and then help them.  Here is
an example:

  ssh -N -P -R 2222:$(hostname):22 user@remotehost

That ssh's into the remote machine and opens a listening connection on
port 2222.  Connections to that port will be forwarded through the
tunnel to the local host port 22.  You would give your friend a login
on your machine (user@remotehost) and they would also give you a login
on their machine too so that you would be able to log in there.

You should be able to test the connection on your end with 'nc'
(netcat) or telnet.

  nc localhost 2222
  SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4

Control-C out of that, the connection is just to test that the tunnel
is working in a direct way.

The above command does not need any special privileges, does not need
to run as root or anything.  Just run it as a non-root user.  I
included the -P option just in case though as some firewalls block
outbound access from privileged ports.  For a truly reliable
connection you would want to use '-oBatchmode=yes' or
'-oServerAliveInterval=300'.  I use Batchmode but for that you would
need RSA keys set up for a fully automated login because passwords are
interactive.  Some firewalls will drop idle connections and a diddle
is needed to keep the connection alive.

You would connect to your friend's machine through the tunnel like

  ssh -p 2222 localhost


Attachment: signature.asc
Description: Digital signature

Reply to: