Skip to main content

Kali Raspberry Pi Reverse Shell (STunnel)

I have kali on an old Pi2 and was going through my copy of "Penetration Testing with Raspberry Pi" book from PACKT. Had issues trying to figure this out so went to Google and found Charles Reids notes and managed to make it work from there, but his page also has a very minor error which caused my setup to not work.

Working Setup

Setup Pi

On Client (RaspberryPi):

# Stunnel Config: /etc/stunnel/stunnel.conf
output = /var/log/stunnel4/stunnel4.log
cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.pem
client = yes

[ssh]
accept = 443
connect = server-ip:443

Setup Server (i.e. Laptop)

On Server (my Laptop):

# Stunnel Config: /etc/stunnel/stunnel.conf
output = /var/log/stunnel4/stunnel4.log
cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.pem
client = no

[ssh]
accept = 443
connect = 127.0.0.1:443

STunnel on Boot

make sure both your kali-pi and command & control client starts /etc/init.d/stunnel4 on boot

systemd things into play

systemctl enable reverse-ssh
reboot (test if it comes back up)

this didn't work for me straight off the bat and i had to 'disable' and copy the systemd-generated 'reverse-ssh.service' file into place:

cp /run/systemd/generator.late/reverse-ssh.service /etc/systemd/system/

then edit it to make sure it came up after ssh.service was running because i was getting a bunch of these in the logs from bootup attempts on the pi:

Jul 18 10:32:40 kaliwifipi reverse-ssh[142]: Opening reverse shell
Jul 18 10:32:41 kaliwifipi reverse-ssh[142]: ssh: connect to host localhost port 2200: Connection refused

so yea, not playing ball, so did the copy and then edited like so:

# Automatically generated by systemd-sysv-generator

[Unit]
Documentation=man:systemd-sysv-generator(8)
SourcePath=/etc/init.d/reverse-ssh
Description=LSB: Start reverse ssh at boot time
After=ssh.service

[Install]
WantedBy=multi-user.target

[Service]
Type=forking
Restart=no
TimeoutSec=5min
IgnoreSIGPIPE=no
KillMode=process
GuessMainPID=no
RemainAfterExit=yes
SuccessExitStatus=5 6
ExecStart=/etc/init.d/reverse-ssh start
ExecStop=/etc/init.d/reverse-ssh stop

key things are 'After=ssh.service' and 'WantedBy=multi-user.tartet' - not sure about the latter, but systemctl complained about not having an '[install]' block in the '.service' file so, yea, it comes up as required with this .service file.

Troubleshooting

in my case, Charles original page has the SERVER stunnel.conf file with client = yes which, when i tried to ssh -p 443 root@localhost on my client (Pi), would fail and give me this error in the SERVER side logs:

SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol.

which from this stackoverflow thread explains this error is when the stunnel client tries to connect to an endpoint/server that's NOT SSL/Stunnel... i.e. the 2 ends dont match up protocol wise

note

i just realized the stackoverflow ticket response is from Charles himself who answers the issue, but dont think there's any mental link back to his page which the 'client = yes' in the wrong place is the cause of the protocol mismatch

Notes

the section for setting up 'stunnel', Chapter 2, page 46, is a bit shit. For example there's no mention of the file 'server.key' anywhere and suddenly it pops up out of nowhere and you're supposed to know what it refers to. This section is pretty messy and not that easy to follow, whereas the page by Charles is pretty clearly laid out. Props to Charles.

also, /etc/init.d/stunnel4 & 'systemctl restart/start stunnel4' is shithouse and doesn't actually start anything. i have to literally run 'stunnel4' and the deamon starts. w.t.actual.f.

References