⏪ Reverse SSH Listenner (?)

[CosasDePuma]

I would like to know if it is possible to do reverse port forwarding (ssh -R 4444:0.0.0.0.0:4444) using the ssh_login module.

After getting a session, I have not been able to find any way to do port forwarding without escalating to meterpreter.

Likewise, doing sessions -u 1 after having set the corresponding LHOST and LPORT, returns nothing (which is another thing I don't understand):

[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.10.14.9:12443 
[*] Command stager progress: 100.00% (773/773 bytes)

--- nothing happens, no new session ---

I can ping from the victim machine to the attacker machine, so there is connectivity. I am not aware of any fw on the network either.

[sempervictus]

we have the infrastructure for it since i got rev ssh shells to work but it requires some plumbing: we have an ssh server module which accept null-auth sessions for rev shells and the SSH client stack for bind shells so if we can initiate channelization from the client (server-side requests aren't honored by clients) then we an leverage the SSH-native port-forwarding so long as the server side allows it.