SSH support

README.md

@@ -2,17 +2,11 @@
 
 ![image](https://github.com/user-attachments/assets/4a390578-47cb-423a-87ca-ad681a46731c)
 
-# Installation
-
-**Docker**
+# Blog
 
-Replace `oneshell` commands with the following:
+For a detailed explanation of how the tool works, check out my blog on the topic [here](https://tantosec.com/blog/oneshell/).
 
-```bash
-docker run --rm -it -p 9001:9001 tantosec/oneshell
-```
-
-> Remember to update the value of the `-p` option to the port you are using.
+# Installation
 
 **Local install**
 
@@ -24,6 +18,16 @@ go install github.com/tantosec/oneshell@latest
 
 Download a binary from [the releases page.](https://github.com/tantosec/oneshell/releases)
 
+**Docker**
+
+Replace `oneshell` commands with the following:
+
+```bash
+docker run --rm -it -p 9001:9001 tantosec/oneshell
+```
+
+> Remember to update the value of the `-p` option to the port you are using.
+
 # Basic Usage
 
 If you want your payload to connect back to `localhost` on port `9001`, run the following command:
@@ -67,8 +71,6 @@ It turns out that there are a few ways to do this, mostly involving the `openssl
 
 "One Shell To Rule Them All", or `oneshell` for short, is a tool that can solve this problem. It does this by running an encrypted reverse shell using only the `echo` and `chmod` commands.
 
-To find out how it works, check out my blog on the topic [here](https://tantosec.com/blog/oneshell/).
-
 # Detailed requirements for a successful payload
 
 * Target can connect to your listener via TCP

cmd/root.go

@@ -2,10 +2,12 @@ package cmd
 
 import (
 	"log"
+	"net"
 	"os"
 
 	"github.com/spf13/cobra"
 	"github.com/tantosec/oneshell/pkg"
+	"golang.org/x/crypto/ssh"
 )
 
 var rootCmd = &cobra.Command{
@@ -21,20 +23,57 @@ additional code allowing the program to download a Golang binary containing the
 			log.Fatal(err)
 		}
 
+		sshHost, err := cmd.Flags().GetString("ssh")
+		if err != nil {
+			log.Fatal(err)
+		}
+
 		target, err := cmd.Flags().GetString("target")
 		if err != nil {
 			log.Fatal(err)
 		}
 
+		bypassSanityCheck, err := cmd.Flags().GetBool("bypass-ssh-sanity-check")
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		listenAddress, err := cmd.Flags().GetString("listen-address")
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		var sshConn *ssh.Client = nil
+
+		dialer := net.Dial
+
+		if sshHost != "" {
+			sshConn, err = pkg.ConnectToSSHHost(sshHost, listenAddress, port, bypassSanityCheck)
+			if err != nil {
+				log.Fatal(err)
+			}
+			dialer = sshConn.Dial
+		}
+
 		if target == "" {
-			target, err = pkg.GetMyIP()
+			target, err = pkg.GetIPUsingDialer(dialer)
 			if err != nil {
-				log.Fatalf("failed to automatically detect public ip: %v", err)
+				log.Fatalf("failed to automatically detect IP: %v", err)
 			}
-			log.Println("Target unspecified, using public IP")
+			log.Println("Target unspecified, using public IP:", target)
+		}
+
+		listener := pkg.Listener{
+			Listen:  net.Listen,
+			Address: listenAddress,
+			Port:    port,
+		}
+
+		if sshConn != nil {
+			listener.Listen = sshConn.Listen
 		}
 
-		err = pkg.Listen(target, port)
+		err = pkg.Listen(listener, target)
 		if err != nil {
 			log.Fatalf("error occurred when listening: %v", err)
 		}
@@ -49,6 +88,9 @@ func Execute() {
 }
 
 func init() {
-	rootCmd.Flags().StringP("target", "t", "", "Target IP/hostname for the victim to connect to (this machine). If left blank, will try and identify public IP automatically")
-	rootCmd.Flags().Uint16P("port", "p", 443, "Port to listen on")
+	rootCmd.Flags().StringP("target", "t", "", "Target IP/hostname for the victim to connect back to. If left blank, will try and identify automatically. Usually the public IP of the listening machine.")
+	rootCmd.Flags().StringP("listen-address", "l", "0.0.0.0", "IP address to listen on")
+	rootCmd.Flags().Uint16P("port", "p", 9001, "Port to listen on")
+	rootCmd.Flags().StringP("ssh", "s", "", "Name of SSH config file entry. If specified will listen on <port> on the remote machine instead of the local port")
+	rootCmd.Flags().Bool("bypass-ssh-sanity-check", false, "Bypass the test connection to the SSH machine to check if the SSH port forward works")
 }

go.mod

@@ -2,17 +2,17 @@ module github.com/tantosec/oneshell
 
 go 1.22.2
 
-require (
-	github.com/pion/stun v0.6.1
-	github.com/spf13/cobra v1.8.1
-)
+require github.com/spf13/cobra v1.8.1
 
 require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/pion/dtls/v2 v2.2.7 // indirect
 	github.com/pion/logging v0.2.2 // indirect
 	github.com/pion/transport/v2 v2.2.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	golang.org/x/crypto v0.8.0 // indirect
-	golang.org/x/sys v0.7.0 // indirect
+	golang.org/x/crypto v0.25.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/term v0.22.0 // indirect
 )

go.sum

@@ -4,6 +4,10 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
+github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/pion/dtls/v2 v2.2.7 h1:cSUBsETxepsCSFSxC3mc/aDo14qQLMSL+O6IjG28yV8=
 github.com/pion/dtls/v2 v2.2.7/go.mod h1:8WiMkebSHFD0T+dIU+UeBaoV7kDhOW5oDCzZ7WZ/F9s=
 github.com/pion/logging v0.2.2 h1:M9+AIj/+pxNsDfAT64+MAVgJO0rsyLnoJKCqf//DoeY=
@@ -32,6 +36,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ=
 golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -40,6 +46,7 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
+golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -51,10 +58,14 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
+golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
+golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=

pkg/getip.go

@@ -1,56 +1,28 @@
 package pkg
 
 import (
-	"github.com/pion/stun"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
 )
 
-// Based off https://github.com/Snawoot/extip/blob/master/extip.go
-func QueryStunServerForIp(server string) (string, error) {
-	family := "udp4"
-	c, err := stun.Dial(family, server)
-	if err != nil {
-		return "", err
+func GetIPUsingDialer(dial func(network, addr string) (net.Conn, error)) (string, error) {
+	client := http.Client{
+		Transport: &http.Transport{
+			Dial: dial,
+		},
 	}
-	defer c.Close()
 
-	message, err := stun.Build(stun.TransactionID, stun.BindingRequest)
+	resp, err := client.Get("http://ifconfig.me/")
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("failed to perform HTTP request: %v", err)
 	}
 
-	clientOut := make(chan stun.Event)
-	clientErr := make(chan error)
-
-	go func() {
-		err := c.Do(message, func(res stun.Event) {
-			clientOut <- res
-		})
-		if err != nil {
-			clientErr <- err
-		}
-	}()
-
-	select {
-	case err := <-clientErr:
-		return "", err
-	case res := <-clientOut:
-		if res.Error != nil {
-			return "", res.Error
-		}
-		var xorAddr stun.XORMappedAddress
-		if err := xorAddr.GetFrom(res.Message); err == nil {
-			return xorAddr.IP.String(), nil
-		} else {
-			var mappedAddr stun.MappedAddress
-			if err := mappedAddr.GetFrom(res.Message); err == nil {
-				return mappedAddr.IP.String(), nil
-			} else {
-				return "", err
-			}
-		}
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", fmt.Errorf("failed to read response body: %v", err)
 	}
-}
 
-func GetMyIP() (string, error) {
-	return QueryStunServerForIp("stun.l.google.com:19302")
+	return string(body), nil
 }