Shells & SSH
This page contains non technical information about the concept of shells and SSH.
SSH:
Why SSH ?
SSH, or Secure Shell, is a cryptographic network protocol developed in 1995 by Tatu Ylönen. Operating on its default port, 22, SSH enables secure communication over unsecured networks.
Initially designed for secure remote access to Unix-like operating systems, SSH allows users to log into remote machines and execute commands as if they were working on a local console, providing a secure and efficient way to manage remote systems.
SSH for Pentesters:
Reverse shells are often unstable, making SSH connections a more reliable alternative for maintaining access. When pentesters encounter cleartext credentials or an SSH private key, they can use these to establish a stable connection to the target system via SSH.
Types of SSH Keys
Public Key:
Stored on the target server.
Typically saved in the
authorized_keys
file located in the.ssh
directory within the user's home directory.
Private Key:
Remains on the attacker’s machine.
Passed as an argument in the SSH command during connection.
When connecting via SSH, the server checks whether the public key matches one listed in the authorized_keys
file. If the corresponding private key is presented and verified, the server grants access, ensuring a secure and stable connection.
Shells:
Shell types:
From Target To Attacker (Listener).
From Attacker to Target (Listener: Binds to a port).
Runs operating system commands via the web browser, . Typically not interactive or semi-interactive and can also be used to run single commands.
Reverse shell :
Bind Shell :
Web Shell:
A Web Shell is typically a web script, i.e., PHP
or ASPX
, that accepts our command through HTTP request parameters such as GET
or POST
request parameters, executes our command, and prints its output back on the web page. So our commands simply get executed on the server and the response is sent back to be rendered on the page. So if we send a Reverse Shell command to it and successfully gets executed, expect a non responsive web page and a hit back on the listener we set up on our machine beforehand. We can look at it as if the process that handles our request is on our hook managing the connection IT initialized.
Last updated