Configuring a USB Armory as a reverse SSH server via Tor hidden service

I performed the following on Ubuntu 15.10. My USB Armory (UA) is using the current Debian Jessie image. I used an Anker to format and image my SD card.


System setup

I use UFW to manage my main system’s iptables firewall, which is always enabled, but we need to allow routed traffic:

sudo ufw default allow routed

sudo ufw reload

When plugging in my UA, I have to verify in the kernel log what Ubuntu is calling the UA:

sudo cat /var/log/kern.log |grep usb0

See “enx1a5589a26942: renamed from usb0”, where enx1a5589a26942 is the name of the UA.


sudo /sbin/ip link set enx1a5589a26942 up

sudo /sbin/ip addr add dev enx1a5589a26942

sudo /sbin/iptables -t nat -A POSTROUTING -s -o wlan0 -j MASQUERADE

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

Now I can SSH to my UA.

Configure the USB Armory

ssh usbarmory@

Set the locale (I use en_US.UTF-8):

sudo dpkg-reconfigure locales

Create a new user with admin privileges then delete the default UA user:

sudo adduser yawnbox

sudo adduser yawnbox sudo

sudo su yawnbox

sudo deluser --remove-home usbarmory

Then I configure the time. ntp is obsolete, use Jake’s tlsdate.

sudo apt-get update

sudo apt-get dist-upgrade -V

sudo apt-get remove --purge ntp -y

sudo apt-get install tlsdate -y

sudo tlsdate -V

Now we need to assure that the system time is going to be updated every time it boots.

sudo crontab -e

I <3 vim. Then add this line to the bottom:

@reboot tlsdate -V -n -H

Install tor:

sudo vim /etc/apt/sources.list


deb jessie main
deb-src jessie main
deb tor-experimental-0.2.7.x-jessie main
deb-src tor-experimental-0.2.7.x-jessie main


gpg --keyserver --recv 886DDD89

gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Then install:

sudo apt-get update

sudo apt-get install tor

Configure your hidden service:

sudo vim /etc/tor/torrc

Uncomment these two lines only:

HiddenServiceDir /var/lib/tor/other_hidden_service/

HiddenServicePort 22

Restart tor:

sudo service tor restart

Get (and document it somewhere) your onion address:

sudo cat /var/lib/tor/other_hidden_service/hostname

Configure openssh-server :

sudo vim /etc/ssh/sshd_config

Comment out these lines:

#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

Edit these lines:

ServerKeyBits 4096
PermitRootLogin no

Test access

Edit your openssh-client to torify your SSH:

sudo vim /etc/ssh/ssh_config

Add (under “Host *”)

proxyCommand ncat --proxy --proxy-type socks5 %h %p


sudo service ssh restart

Then SSH to the hidden service address hosted on your UA:

ssh yawnbox@2f4ov33h7utnjs.onion

Other thoughts

When inserting the UA into a Windows 7 client, it auto installs a driver for a “USB Ethernet/RNDIS Gadget”. Windows assigns it a non-routable 169.254.* address, but the UA will send out over 100 packets within the first 5 minutes. Tor and tlsdate can’t wait to touch the net 😉