When using the Reverse Shell functionality with a fixed sensor, there are three steps involved.
- Configuring one or more Reverse Shells on the sensor.
- Run the SSH Receiver script on the designated SSH Receiver to place it into a listening state for incoming connections.
- Connect via SSH using one of three different methods available.
Assuming there are no questions in regards to the first two steps, let's focus on step three and the three methods available when establishing the Reverse SSH connection with the sensor:
- CLI Access
- Proxy Pivoting
- Protocol Forwarding.
For CLI Access, type
ssh pwnie@localhost -p xxxx and press Enter. replacing "xxxx" with one of the Receiver Ports identified as listening at the end of performing step "2".
After login, type
sudo su and press Enter, then re-type the password to become superuser.
From this point forward, you have an SSH connection established with the sensor, providing the ability to run via command line any application/tool installed on the sensor. This is the most common method of the three methods used.
For Proxy Pivoting, type
ssh pwnie@localhost -p xxxx -ND 8080 and press Enter, replacing "xxxx" with one of the Receiver Ports identified to be listening after running the Receiver script on the SSH Receiver. After login, the prompt becomes non-interactive, i.e. it appears to hang and not allow you to type anything. This is normal. Instead, you next need to configure the proxy settings of a web browser installed on the SSH Receiver system to use a SOCKS5 proxy and forward all connectivity to IP 127.0.0.1 using port 8080.
From this point forward, anything typed in the Address Bar of the web browser, will be proxied from the SSH Receiver upstream to the sensor, to any accessible web application in the remote network the sensor is located within. This method is very useful when you want/need to access the web-based UI of any application in the remote network. In fact, if you should install a web-based application on the sensor, you could access the web UI of that application as well. Some customers choose to install Nessus on the Pwn Pro, then access the Nessus web UI in this manner.
For Protocol Forwarding, type
ssh pwnie@localhost -p xxxx -NL 3389:x.x.x.x:3389 and press Enter, replacing "xxxx" with one of the Receiver Ports identified to be listening after running the Receiver script on the SSH Receiver, and replace "x.x.x.x" with an IP address of a system in the same remote network the sensor itself is located within. After login, the prompt becomes non-interactive, i.e. it appears to hang and not allow you to type anything. This is normal.
From this point forward, when you run the
rdesktop command on the SSH Receiver system as follows, i,e.
rdesktop localhost and press Enter, the RDP connection will be forwarded from the SSH Receiver, upstream to the IP address specified, subsequently presenting you with the desktop of the Windows system in the remote network. This method is what you use when you want to obtain RDP connectivity with a system in the remote network. Additionally note, you are not limited to forwarding RDP. Alternatively, you could forward VNC as follows
ssh pwnie@localhost -p xxxx -NL 5800:x.x.x.x:5800 and press Enter, then subsequently run a VNC client on the SSH Receiver specifying localhost as the target.