WARNING: The following can make yourself an security hole. Open your eyes before doing anything.
Not exactly “reverse shell”, but I guess it's more like remote ports?
For your own safety, please use at least OpenSSH 7.8p1
useradd -m -s /sbin/nologin tunnelGatewayPorts yes # STOP!!! This will be a HUGE security issue, if you're using outdated software, weak passwords and it's in general a stupid thing to do.. If you're forwarding something that's behind a NAT/firewall, it's probably there for a reason.
permitlisten="5001,5002",command="/sbin/nologin",restrict,port-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2..
#IMPORTANT!! MAKE SURE YOUR IPTABLES ARE PERSISTENT! If you need the following for security. And be sure to test it.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 1.2.3.4/24 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -j REJECT
ssh-keygen -t rsa -b 4096 -C "jump1"
ssh-keygen -t rsa -b 4096 -C "jump2" -f /config/.ssh/id_rsa
ssh -f -n -N -C -R 5001:127.0.0.1:22 [email protected]
ssh -f -n -N -C -R 5001:127.0.0.1:22 -i /config/.ssh/id_rsa [email protected]If you changed GatewayPorts in sshd_config, then SSH to tunnelserver.mths.io:5001 translates to target:22, through the middleman. If you didn't, you'll need to use the server as a jump host.
For example, to easily put myself on the remote network, I can make myself an SOCKS proxy using:
ssh -D 5555 -C [email protected]:5001 #C for compress
ssh -J [email protected] -D 5555 -C [email protected]:5001 #C for compress, J for jump hosthttp://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet has a good list of reverse shells (unencrypted ofc.)