Skip to main content

Kali Raspberry Pi Reverse Shell (STunnel)

I have kali on an old Pi2 and was going through my copy of "Penetration Testing with Raspberry Pi" book from PACKT. Had issues trying to figure this out so went to Google and found Charles Reids notes and managed to make it work from there, but his page also has a very minor error which caused my setup to not work.

Working Setup#

Setup Pi#

On Client (RaspberryPi):

# Stunnel Config: /etc/stunnel/stunnel.confoutput = /var/log/stunnel4/stunnel4.logcert = /etc/stunnel/stunnel.pemkey = /etc/stunnel/stunnel.pemclient = yes
[ssh]accept = 443connect = server-ip:443

Setup Server (i.e. Laptop)#

On Server (my Laptop):

# Stunnel Config: /etc/stunnel/stunnel.confoutput = /var/log/stunnel4/stunnel4.logcert = /etc/stunnel/stunnel.pemkey = /etc/stunnel/stunnel.pemclient = no
[ssh]accept = 443connect =

STunnel on Boot#

make sure both your kali-pi and command & control client starts /etc/init.d/stunnel4 on boot

systemd things into play

systemctl enable reverse-sshreboot (test if it comes back up)

this didn't work for me straight off the bat and i had to 'disable' and copy the systemd-generated 'reverse-ssh.service' file into place:

cp /run/systemd/generator.late/reverse-ssh.service /etc/systemd/system/

then edit it to make sure it came up after ssh.service was running because i was getting a bunch of these in the logs from bootup attempts on the pi:

Jul 18 10:32:40 kaliwifipi reverse-ssh[142]: Opening reverse shellJul 18 10:32:41 kaliwifipi reverse-ssh[142]: ssh: connect to host localhost port 2200: Connection refused

so yea, not playing ball, so did the copy and then edited like so:

# Automatically generated by systemd-sysv-generator
[Unit]Documentation=man:systemd-sysv-generator(8)SourcePath=/etc/init.d/reverse-sshDescription=LSB: Start reverse ssh at boot timeAfter=ssh.service
[Service]Type=forkingRestart=noTimeoutSec=5minIgnoreSIGPIPE=noKillMode=processGuessMainPID=noRemainAfterExit=yesSuccessExitStatus=5 6ExecStart=/etc/init.d/reverse-ssh startExecStop=/etc/init.d/reverse-ssh stop

key things are 'After=ssh.service' and 'WantedBy=multi-user.tartet' - not sure about the latter, but systemctl complained about not having an '[install]' block in the '.service' file so, yea, it comes up as required with this .service file.


in my case, Charles original page has the SERVER stunnel.conf file with client = yes which, when i tried to ssh -p 443 [email protected] on my client (Pi), would fail and give me this error in the SERVER side logs:

SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol.

which from this stackoverflow thread explains this error is when the stunnel client tries to connect to an endpoint/server that's NOT SSL/Stunnel... i.e. the 2 ends dont match up protocol wise


i just realized the stackoverflow ticket response is from Charles himself who answers the issue, but dont think there's any mental link back to his page which the 'client = yes' in the wrong place is the cause of the protocol mismatch


the section for setting up 'stunnel', Chapter 2, page 46, is a bit shit. For example there's no mention of the file 'server.key' anywhere and suddenly it pops up out of nowhere and you're supposed to know what it refers to. This section is pretty messy and not that easy to follow, whereas the page by Charles is pretty clearly laid out. Props to Charles.

also, /etc/init.d/stunnel4 & 'systemctl restart/start stunnel4' is shithouse and doesn't actually start anything. i have to literally run 'stunnel4' and the deamon starts. w.t.actual.f.