antonn
Posts: 9
Joined: Thu Feb 04, 2016 5:11 pm

Want to access Pi via reverse shell

Sun Jan 19, 2020 1:59 pm

Hello everyone,

I have a Pi running on a 4G network (RPI1) which means it doesn't have its own IP and can't be forwarded. I want to access a port on this pi for video monitoring, but that won't be possible. I have another Pi (RPI2) which CAN portforward. Now the idea is that RPI1 connects to RPI2 permanently, and that I can access RPI1 by connecting to RPI2.

Appearently I'm not the first person trying this, since this is called "reverse SSH tunnel". Now I've been Googling a while, and entering some commands for a while, and I still dont understand how it works really.

* Do I have to enter a command only on RPI1 to connect to RPI2, or do I also need to run a command on RPI2?
* Which commands do I have to run in my case? I've been trying ports on every place a port is needed, but couldn't get it to work. Every place on the internet names the parameters different in their explanation and I am still confused by what is what, and what command has to be entered where, etc
* How can I keep this connection running on between both Pi's permanently? I assume I need a script on both Pi's that runs the command on boot again?

Image

I created this scheme with my situation. I want to access RPI1 with my computer (the SSH, but also another port if possible)

Hope someone can help me with this.
Thanks in advance!

fruitoftheloom
Posts: 22688
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: Want to access Pi via reverse shell

Sun Jan 19, 2020 2:21 pm

antonn wrote:
Sun Jan 19, 2020 1:59 pm
Hello everyone,

I have a Pi running on a 4G network (RPI1) which means it doesn't have its own IP and can't be forwarded. I want to access a port on this pi for video monitoring, but that won't be possible. I have another Pi (RPI2) which CAN portforward. Now the idea is that RPI1 connects to RPI2 permanently, and that I can access RPI1 by connecting to RPI2.

Appearently I'm not the first person trying this, since this is called "reverse SSH tunnel". Now I've been Googling a while, and entering some commands for a while, and I still dont understand how it works really.

* Do I have to enter a command only on RPI1 to connect to RPI2, or do I also need to run a command on RPI2?
* Which commands do I have to run in my case? I've been trying ports on every place a port is needed, but couldn't get it to work. Every place on the internet names the parameters different in their explanation and I am still confused by what is what, and what command has to be entered where, etc
* How can I keep this connection running on between both Pi's permanently? I assume I need a script on both Pi's that runs the command on boot again?

Image

I created this scheme with my situation. I want to access RPI1 with my computer (the SSH, but also another port if possible)

Hope someone can help me with this.
Thanks in advance!


What is wrong with using VNC Connect ??

https://www.realvnc.com/en/raspberrypi/
Rather than negativity think outside the box !

Asus ChromeBox 3 Celeron is my other computer.

antonn
Posts: 9
Joined: Thu Feb 04, 2016 5:11 pm

Re: Want to access Pi via reverse shell

Sun Jan 19, 2020 2:31 pm

fruitoftheloom wrote:
Sun Jan 19, 2020 2:21 pm
antonn wrote:
Sun Jan 19, 2020 1:59 pm
Hello everyone,

I have a Pi running on a 4G network (RPI1) which means it doesn't have its own IP and can't be forwarded. I want to access a port on this pi for video monitoring, but that won't be possible. I have another Pi (RPI2) which CAN portforward. Now the idea is that RPI1 connects to RPI2 permanently, and that I can access RPI1 by connecting to RPI2.

Appearently I'm not the first person trying this, since this is called "reverse SSH tunnel". Now I've been Googling a while, and entering some commands for a while, and I still dont understand how it works really.

* Do I have to enter a command only on RPI1 to connect to RPI2, or do I also need to run a command on RPI2?
* Which commands do I have to run in my case? I've been trying ports on every place a port is needed, but couldn't get it to work. Every place on the internet names the parameters different in their explanation and I am still confused by what is what, and what command has to be entered where, etc
* How can I keep this connection running on between both Pi's permanently? I assume I need a script on both Pi's that runs the command on boot again?

Image

I created this scheme with my situation. I want to access RPI1 with my computer (the SSH, but also another port if possible)

Hope someone can help me with this.
Thanks in advance!


What is wrong with using VNC Connect ??

https://www.realvnc.com/en/raspberrypi/
It doesn't seem to support portforwarding. I'd like to access RPI1 with my phone for remote camera access.

fruitoftheloom
Posts: 22688
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: Want to access Pi via reverse shell

Sun Jan 19, 2020 2:51 pm

antonn wrote:
Sun Jan 19, 2020 2:31 pm
fruitoftheloom wrote:
Sun Jan 19, 2020 2:21 pm
antonn wrote:
Sun Jan 19, 2020 1:59 pm
Hello everyone,

I have a Pi running on a 4G network (RPI1) which means it doesn't have its own IP and can't be forwarded. I want to access a port on this pi for video monitoring, but that won't be possible. I have another Pi (RPI2) which CAN portforward. Now the idea is that RPI1 connects to RPI2 permanently, and that I can access RPI1 by connecting to RPI2.

Appearently I'm not the first person trying this, since this is called "reverse SSH tunnel". Now I've been Googling a while, and entering some commands for a while, and I still dont understand how it works really.

* Do I have to enter a command only on RPI1 to connect to RPI2, or do I also need to run a command on RPI2?
* Which commands do I have to run in my case? I've been trying ports on every place a port is needed, but couldn't get it to work. Every place on the internet names the parameters different in their explanation and I am still confused by what is what, and what command has to be entered where, etc
* How can I keep this connection running on between both Pi's permanently? I assume I need a script on both Pi's that runs the command on boot again?

Image

I created this scheme with my situation. I want to access RPI1 with my computer (the SSH, but also another port if possible)

Hope someone can help me with this.
Thanks in advance!


What is wrong with using VNC Connect ??

https://www.realvnc.com/en/raspberrypi/
It doesn't seem to support portforwarding. I'd like to access RPI1 with my phone for remote camera access.

RealVNC Connect negates the need for port forwarding etal, but if you want to go the convolated route, good luck.
Rather than negativity think outside the box !

Asus ChromeBox 3 Celeron is my other computer.

antonn
Posts: 9
Joined: Thu Feb 04, 2016 5:11 pm

Re: Want to access Pi via reverse shell

Sun Jan 19, 2020 3:03 pm

I found this service myself, and it seems to be exactly what I need. This is an external service that acts like my RPI2 for the tunnel.

This might be a little less good since it is an external service, but it seems simpler.

https://serveo.net/

It seems to be offline now though. If someone can help me quicker I'd still be happy

fruitoftheloom
Posts: 22688
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: Want to access Pi via reverse shell

Sun Jan 19, 2020 3:16 pm

antonn wrote:
Sun Jan 19, 2020 3:03 pm
I found this service myself, and it seems to be exactly what I need. This is an external service that acts like my RPI2 for the tunnel.

This might be a little less good since it is an external service, but it seems simpler.

https://serveo.net/

It seems to be offline now though. If someone can help me quicker I'd still be happy

http://serveo.net/
Rather than negativity think outside the box !

Asus ChromeBox 3 Celeron is my other computer.

antonn
Posts: 9
Joined: Thu Feb 04, 2016 5:11 pm

Re: Want to access Pi via reverse shell

Sun Jan 19, 2020 3:19 pm

fruitoftheloom wrote:
Sun Jan 19, 2020 3:16 pm
antonn wrote:
Sun Jan 19, 2020 3:03 pm
I found this service myself, and it seems to be exactly what I need. This is an external service that acts like my RPI2 for the tunnel.

This might be a little less good since it is an external service, but it seems simpler.

https://serveo.net/

It seems to be offline now though. If someone can help me quicker I'd still be happy

http://serveo.net/
Yeah I worked that out, but it says "Serveo is temporarily disabled due to phishing." and doesn't seem to work for now

User avatar
B.Goode
Posts: 9871
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: Want to access Pi via reverse shell

Sun Jan 19, 2020 3:28 pm

Dataplicity ( https://www.dataplicity.com/ ) offer a similar service for RPi users.

If that doesn't meet your needs, see https://alternativeto.net/software/dataplicity/

tpyo kingg
Posts: 809
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Want to access Pi via reverse shell

Sun Jan 19, 2020 3:30 pm

If you stick with SSH then you can automate the connection using a dedicated key. The gist is that you do the setup in by first creating a reverse tunnel on a connection from port 22 on RPI1 to some other port on RPI2 over SSH. Then you'd go to RPI1 from your home computer using RPI2 as a "jump host" or bastion host.

On RPI1, the first step:

Code: Select all

ssh -i somekey -R 2222:localhost:22 [email protected]
Then the second step on your home machine would be to hop through RPI2:

Code: Select all

ssh -i anotherkey -J [email protected] -p 2222 localhost
And that will give you a shell on RPI1. If you wish to access a tunnelled port on RPI, then throw in a -L like the following for tunnelled HTTP access. Here is an alternative second step launched from your home computer:

Code: Select all

ssh -L 3380:localhost:80 \
        -i anotherkey -J [email protected] -p 2222 localhost
With the first step in place, that would make port 80 on RPI1 available via port 3380 on your home computer.

The keys can be locked down with command="" once you have all that settled.

antonn
Posts: 9
Joined: Thu Feb 04, 2016 5:11 pm

Re: Want to access Pi via reverse shell

Sun Jan 19, 2020 3:55 pm

tpyo kingg wrote:
Sun Jan 19, 2020 3:30 pm
If you stick with SSH then you can automate the connection using a dedicated key. The gist is that you do the setup in by first creating a reverse tunnel on a connection from port 22 on RPI1 to some other port on RPI2 over SSH. Then you'd go to RPI1 from your home computer using RPI2 as a "jump host" or bastion host.

On RPI1, the first step:

Code: Select all

ssh -i somekey -R 2222:localhost:22 [email protected]
Then the second step on your home machine would be to hop through RPI2:

Code: Select all

ssh -i anotherkey -J [email protected] -p 2222 localhost
And that will give you a shell on RPI1. If you wish to access a tunnelled port on RPI, then throw in a -L like the following for tunnelled HTTP access. Here is an alternative second step launched from your home computer:

Code: Select all

ssh -L 3380:localhost:80 \
        -i anotherkey -J [email protected] -p 2222 localhost
With the first step in place, that would make port 80 on RPI1 available via port 3380 on your home computer.

The keys can be locked down with command="" once you have all that settled.
Isnt it possible for RPI2 to "broadcast" or "redirect" a port from RPI1 so I don't have to execute a command on my home computer? I'd also like to access it with my phone etc.

tpyo kingg
Posts: 809
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Want to access Pi via reverse shell

Sun Jan 19, 2020 4:39 pm

It is possible to access the port from anywhere via RPI2 if you set GatewayPorts to yes there on the RPI2 in sshd_config and then follow the steps above.

However, then everyone in the world can also access it so you will need some kind of access control or it will unavoidably get abused. The whole IPv4 address space is scanned 24/7 on all ports to find "interesting" services. So before you open the port up to the whole world, be sure you have at least some minimal password or key protecting the service it is connected to.

Lewis-H
Posts: 26
Joined: Thu Oct 31, 2019 12:45 pm

Re: Want to access Pi via reverse shell

Wed Jan 22, 2020 2:20 pm

Choose a device to be your server, this will typically be a VPS or something of that sort that is internet facing. Or... It can be something on your local network, in this example I will use my remote VPS as the server, and my laptop as the attack client (the device I will be controlling). Though this setup, I will be able to control my laptop, from my server without ever port forwarding.
On my server, I will set up the handler with
./reverse_ssh.ssh -s <my servers external ip> <the port I want to use>
so in my case, it is.
./reverse_ssh.ssh -s 100.100.100.100 30 (that IP is only a placeholder :P this would actually be your servers IP).

This will hang there waiting for a connection. This is when we move onto our client or attack box (this could be the Raspberry Pi).

The syntax works like this.
./reverse_ssh.sh -c <ip of handler> <port of handler> <reconnect time in seconds>

The script will attempt to connect to the server until it establishes a connection with it. Once established, it will stop printing "Attempting connection" and will hang. This is when we should hop on over to our attack client.
If we did everything correctly, our server should present us with a password login prompt, it says "localhost", which actually, in fact, means our remote client. Once we enter the password, we will have our reverse ssh root shell! From here we can do anything the client can do, including firing up airodump-ng and doing some WEP cracking.

Return to “Networking and servers”