Skip to content

Remote Shells

Remote shells are an important part of ethical hacking. You will be spending a lot of time using them during penetration tests, and if you take part in CTF competitions.

In the previous topic we introduced the concept of shells. In this article we will discuss remote shells, and demonstrate how we can use them to communicate with a remote system.

In these examples we will be using Linux. You should be familiar with common Linux shell commands from the Linux Trainer, you might like to refresh your knowledge by revisiting the trainer, if you can't remember it well.

The two protocols we introduce below are common server protocols for talking to remote servers. While SSH is the standard, its also worth considering telnet, as it is still used for configuration of things like switches, routers and embedded devices.

Telnet

Telnet was one of the original (1969) methods of getting a remote shell on a server. While the protocol is now rarely used over the internet, due to lack of encryption, it is still commonly used for accessing embedded devices over serial connections.

Note

Due to the way it processes line endings compared to Netcat, I also find Telnet useful for interacting with services such as mail servers12.

We can initiate a Telnet session with the command telnet <target> For example:

$ telnet 172.16.0.1
Trying 172.16.0.1...
Connected to 172.16.0.1.
Escape character is '^]'.

Once we have connected over Telnet, we can interact with the remote system using whatever shell has been set up.

While Telnet is not normally used as a remote shell, it still is useful for interacting with other remote services. For example, we can have a simple form of banner grabbing. In the example below I connect to a HTTP server. As part of the response we get the server version.

$ telnet cueh.coventry.ac.uk 80
Trying 194.66.34.56...
Connected to cueh.coventry.ac.uk.
Escape character is '^]'.
GET /
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>CUEH</title>

    ----8<------ SNIP -----

Task

Try using telnet to grab a page from a web server.

  1. Connect to the host using telnet
  2. Send the Command GET /

Secure Shell (SSH)

This is probably the most common way of getting a shell on a remote service. Unlike Telnet, which communicates in plain text, SSH allows encrypted communication to a server.

When using a terminal to connect over SSH the command consists of three parts:

$ ssh <user>@<host>
  • ssh is the command name
  • user is the username to login as
  • host is the service you wish to connect to, which can be either an IP address or a domain name

So to SSH into the hacker account on example.org we would use:

$ ssh hacker@example.org

Windows 10 (from 2018) should have an SSH client enabled by default now . The SSH client is OpenSSH, (which is very common on Linux distros), so the commands should map across nicely.

Note

I found getting SSH keys to work reliably a bit of a PITA, but that's mostly due to not quite getting the way ssh-agent worked. Once setup its been solid though.

Windows users can also connect over SSH using tools such as Putty or Moba Xterm (see further reading if you're interested).

Like Telnet once we have once we have connected over SSH, we are presented with a remote version of the shell on the target system.

We will take a close look at SSH (and the SSH server) in the next article

Remote Shell Servers

As we said in the introduction, both Telnet and SSH shells make use of a server program to listen for connections and handle them.

Usually these servers run as a daemon and are managed by the OS as a background process. While both SSH and telnet are not commonly enabled by default on most Linux systems, it is worth checking the process list to see if a process for these exist.

Remote shell servers on Windows

By default, Windows doesn't come with any remote shell servers enabled (probably due to its GUI focus). However, depending on the software installed, we can still access a Windows box via a remote shell.

For example, every Windows installation comes with a Telnet server installed, so if it is enabled we can use this to connect in the same way we would a 'Nix system. Other options include SSH servers, or executing commands remotely using PSExec.

During a pentest, a common way of getting a remote shell on a windows box is by uploading and executing a script on the server. For example, we could use a vulnerable web server to upload a PHP reverse shell. We can connect to these in the same way as we would on a Linux-based target, although the shell itself will normally be CMD.exe.

In summary

In this article we have looked at the 'traditional' ways of getting a remote shell. SSH is pretty much the standard for connecting to remote systems, although we do still encounter Telnet on occasion.

However, while being able to use these shells is fundamental for the system admin side of pentesting, we will normally need a sneakier way of getting a shell on the system. In the next article we will look at Netcat, a tool that comes up in most engagements, and also look at more interesting ways of getting a remote shell.

Further reading


  1. And MUDS, if you are ever find yourself in Ankh Morpork, let me know. 

  2. Yes I know we can ask netcat to use the proper line endings, but old habits die hard.