Reverse SSH over Tor on the Pwnie Express

The Pwnie Express (PwnPlug) is a great little tool for hackers, pentesters and social engineers alike. While I don’t advocate the use of a Pwnie for illicit purposes, I was intrigued about using it as an untraceable tap into a network. Out of the box the Pwnie allows you to configure reverse SSH connections, exfiltrated over a number of different protocols including HTTP, SSL, ICMP and DNS.

While these are great for getting out of controlled networks, they all require the Pwnie to be configured with the IP address of your SSH server, which could potentially be traced back to you. It also requires your SSH server to be able to directly receive connections at the IP/hostname configured on the Pwnie. While one could run an SSH server on a proxy box somewhere, I felt that was too primitive, so I installed Tor on my Pwnie and configured a Tor Hidden Service on my SSH server.

Note: For the purposes of this tutorial, the SSH server will be running on BackTrack 5. I’m assuming you’ve already performed the initial Pwnie Express setup steps on the server! Check out my PwnieScripts to help speed up and automate the Pwnie setup.

These instructions do not yet work on Pwn Plug software >= 1.1 as they’ve changed the layout of things! Will update this post when I get the time.

Disclaimer: although these modifications are very safe, I’m in no way responsible if you somehow manage to brick your Pwnie.

 1. Configuring the Server

First we’ll configure the (BackTrack 5) server that will be receiving SSH connections over Tor from the Pwnie. If you’re not familiar with the details of Tor Hidden Services, they essentially work by allowing a client and a server to ‘meet’ anonymously somewhere in the Tor cloud. The beauty of this is that once you’ve configured your server, you can take it anywhere in the world and any client will be able to reach it via Tor, regardless of whether your IP address has changed. This means that once you’ve configured a Pwnie with your Tor (.onion) address, you’ll be able to receive connections from it no matter where you are (eg. airport, internet cafe, hotels), as long as both the Pwnie and your computer are able to connect to the Tor network.

Step 1: Install Tor. I’m not going to explain how to do this as it’s both extremely easy and well documented for Mac OS X, Windows and Linux.

Step 2: Set up your Tor Hidden Service. To do this edit ‘/etc/tor/torrc’ and add the following lines into the hidden services section (~ line 70):

HiddenServiceDir /var/lib/tor/ssh/
HiddenServicePort 22 127.0.0.1:22

Run ‘/etc/init.d/tor restart’ to restart Tor and create the hidden service, then ‘cat /var/lib/tor/ssh/hostname’ to get your Tor hostname (16 characters followed by .onion). Note this down, as this is the address you’ll be putting into the Pwnie.

Step 3: Start SSHD (/etc/init.d/ssh start). You server is now ready to receive SSH connections over Tor.

2. Configuring the Pwnie

Add the following line to ‘/etc/apt/sources.list’:

deb http://ftp.de.debian.org/debian lenny main

If you were to run ‘apt-get update’, you’d probably get the following GPG error:

W: GPG error: http://ftp.de.debian.org lenny Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 9AA38DCD55BE302B NO_PUBKEY 4D270D06F42584E6

So you’ll need to install the necessary GPG keys using the following commands:

# gpg –keyserver pgpkeys.mit.edu –recv-key  9AA38DCD55BE302B
# gpg -a –export 9AA38DCD55BE302B | sudo apt-key add –

# gpg –keyserver pgpkeys.mit.edu –recv-key  4D270D06F42584E6
# gpg -a –export 4D270D06F42584E6 | sudo apt-key add –

Now run ‘apt-get update’, followed by:

# apt-get –no-install-recommends install tor tor-geoipdb

This will install Tor. You may need to wait a bit for Tor to get started, but you can check that it works by running ‘tor-resolve www.google.com’, which should return an IP address. If it doesn’t, run ‘tail /var/log/tor/log’, and you should see the following line somewhere if Tor is working properly:

[notice] Tor has successfully opened a circuit. Looks like client functionality is working.

Once Tor is working, you can move on to configuring SSH to use it for the reverse proxy. You’ll need to download and compile connect.c, which will allow SSH to make use of the Tor proxy.

# wget https://savannah.gnu.org/maintenance/connect.c
# gcc -o /usr/local/bin/connect connect.c
# chmod 755 /usr/local/bin/connect
# chown root.root /usr/local/bin/connect

Edit ‘/etc/ssh/ssh_config’ and add the following lines at the bottom. This will tell Tor to automatically use the new connect tool whenever it’s given a Tor Hidden Service (.onion) address:

Host *.onion
ProxyCommand /usr/local/bin/connect -S localhost:9050 %h %p

Next disable the Tor startup script, as we probably don’t want Tor to be running unless it’s needed.

# update-rc.d -f tor remove

You now just need to configure the Pwnie with the SSH server’s Tor address. I’ve modified the Pwnie’s user interface and scripts to enable the necessary functionality for Tor. Download the modified scripts here, and move them to their equivalent locations on the Pwnie:

/var/pwnplug/plugui/app.rb
/var/pwnplug/plugui/methods.rb
/var/pwnplug/plugui/views/script_form.erb
/var/pwnplug/plugui/views/system.erb
/var/pwnplug/script_configs/reverse_ssh_over_Tor_config.sh
/var/pwnplug/scripts/reverse_ssh_over_Tor.sh

Once that’s done reboot your Pwnie (important). When the Pwnie has rebooted, you should be able to connect to the Pwnie’s web interface (Reverse Shells tab) and see the Tor configuration field at the bottom of the page (screenshot below). Check the checkbox, insert your server’s Tor hostname and click Configure All Shells.

3. Making the Connection

It may take a few minutes, but if both Tor client and server are working correctly, you should eventually see a connection from the Pwnie if you run ‘watch netstat -lntup’ (or pwnwatch.sh) on your server, you should see:

tcp        0      0 127.0.0.1:3330          0.0.0.0:*               LISTEN      15007/sshd: pwnplug

Once the Pwnie successfully establishes a reverse SSH connection, the server will listen on localhost:3330. Run ‘ssh [email protected] -p 3330′ to connect (or run pwnconnect.sh -t)!

Conclusion

You should familiarise yourself with how Tor actually works in order to better understand how it anonymises traffic. If you truly want to make sure that your Pwnie can’t point back to you, you should obviously not put any IPs in there. You should also make sure that all logs that may contain IPs or other information are cleared.

I hope you found this useful! Any feedback is welcome. Let me know if you manage to get this working, or run into any issues. Leave a comment below, send me an email, or message me on Twitter.