When using the Reverse Shell functionality with a fixed sensor, there are three steps involved.

  1. Configuring one or more Reverse Shells on the sensor.
  2. Run the SSH Receiver script on the designated SSH Receiver to place it into a listening state for incoming connections.
  3. Connect via SSH using one of three different methods available.

Assuming there are no questions in regards to the first two steps, let's focus on step three and the three methods available when establishing the Reverse SSH connection with the sensor:

  • CLI Access
  • Proxy Pivoting
  • Protocol Forwarding.


CLI Access

For CLI Access, type ssh pwnie@localhost -p xxxx and press Enter. replacing "xxxx" with one of the Receiver Ports identified as listening at the end of performing step "2".
After login, type sudo su and press Enter, then re-type the password to become superuser.

From this point forward, you have an SSH connection established with the sensor, providing the ability to run via command line any application/tool installed on the sensor. This is the most common method of the three methods used.

Proxy Pivoting

For Proxy Pivoting, type ssh pwnie@localhost -p xxxx -ND 8080 and press Enter, replacing "xxxx" with one of the Receiver Ports identified to be listening after running the Receiver script on the SSH Receiver. After login, the prompt becomes non-interactive, i.e. it appears to hang and not allow you to type anything. This is normal. Instead, you next need to configure the proxy settings of a web browser installed on the SSH Receiver system to use a SOCKS5 proxy and forward all connectivity to IP 127.0.0.1 using port 8080.

From this point forward, anything typed in the Address Bar of the web browser, will be proxied from the SSH Receiver upstream to the sensor, to any accessible web application in the remote network the sensor is located within. This method is very useful when you want/need to access the web-based UI of any application in the remote network. In fact, if you should install a web-based application on the sensor, you could access the web UI of that application as well. Some customers choose to install Nessus on the Pwn Pro, then access the Nessus web UI in this manner.

Protocol Forwarding

For Protocol Forwarding, type ssh pwnie@localhost -p xxxx -NL 3389:x.x.x.x:3389 and press Enter, replacing "xxxx" with one of the Receiver Ports identified to be listening after running the Receiver script on the SSH Receiver, and replace "x.x.x.x" with an IP address of a system in the same remote network the sensor itself is located within. After login, the prompt becomes non-interactive, i.e. it appears to hang and not allow you to type anything. This is normal.

From this point forward, when you run the rdesktop command on the SSH Receiver system as follows, i,e. rdesktop localhost and press Enter, the RDP connection will be forwarded from the SSH Receiver, upstream to the IP address specified, subsequently presenting you with the desktop of the Windows system in the remote network. This method is what you use when you want to obtain RDP connectivity with a system in the remote network. Additionally note, you are not limited to forwarding RDP. Alternatively, you could forward VNC as follows ssh pwnie@localhost -p xxxx -NL 5800:x.x.x.x:5800 and press Enter, then subsequently run a VNC client on the SSH Receiver specifying localhost as the target.