OpenSSL Server Reverse Shell from Windows Client

By Carrie Roberts (@OrOneEqualsOne)

I loved learning about this simple shell using only OpenSSL by @int0x33. OpenSSL comes installed by default on most Linux and OS X operating systems, making this Command and Control (C2) option viable for these targets. But let’s figure out what to do to establish a C2 session from a Windows client to the OpenSSL server.

Combining pieces of the solution from here and here, gives us this beautiful solution.

Note that the domain specified in the AuthenticateAsClient call is what will show up in the SNI field of the TLS negotiation so you may want to change that from fake.domain to something more believable. On the Server, generate your certificates and start the listener as documented by @int0x33.

On the victim system, open a PowerShell prompt and paste in the code from above, replacing the IP address on the first line with your server’s IP address.

Be sure to press Enter after the last line of code.

Now we have a C2 session established to our server running openssl with the s_server option. The image below shows commands entered in red and their responses in green.

This is what the network traffic looks like in Wireshark.

To increase the likelihood of bypassing host and network-based detections, use the following suggestions.

1) Use port 443 (instead of port 9876 given in this example). You must change it on both the server and the client.

2) Use a trusted certificate on your server, such as the cert.pem and privkey.pem files that are generated by Let’s Encrypt and commonly found at /etc/letsencrypt/live/<your domain>/. Then substitute your domain name for the IP address in the PowerShell script.

3) Use this technique to generate an executable that will use .Net instead of PowerShell and has built-in script block logging and AMSI bypasses. You’ll just need to turn the PowerShell script into one line by separating the statements with semi-colons.

Fun stuff. If you are on a pentest and are looking for a quick C2 connection this might do it for you.