SSH Agent Forwarding.md

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld

user@internal:~$ hostname -f
internal.company.tld

This post explains it well and details the safer ssh -J alternative.

👋 ❤️

Adding to this, ssh-add(1) can be used to list/manage identities. :)

root@[redacted]:~# SSH_AUTH_SOCK="/tmp/ssh-[redacted]/agent.[redacted]" ssh-add -l
256 SHA256:[redacted] [redacted].key (ED25519)
root@[redacted]:~#

The above example lists the fingerprints and private key filenames for a particular agent.

This technique works on both local and forwarded agents!

Fantastic recon technique! Thank you for the additional knowledge @wvu-r7 ❤️

Likewise! Thank you for sharing.

Slightly tangential, but related to abusing ssh configurations for lateral movement:

Look for ControlMaster auto and ControlPath in ssh config files. You can use the ControlPath to find control sockets that are currently open to remote servers, then ssh to that same remote server, usually without having to reauthenticate or go through 2FA.

The down side to this is that you're multiplexed using the first connection, so if the first connection gets terminated then your connection also goes down. So maybe have something handy to be ready to drop backup keys (~/.ssh/authorized_keys2 is often still a valid keys file and not usually clobbered by host configuration tools like chef/puppet/salt/etc) or otherwise establish persistence once you ride-along.

That's also a great one, @0xdade! Thanks for the share. I guess while we're at it, haha...

Kerberos authentication can also be leveraged for lateral movement, often with SSH. The KRB5CCNAME environment variable can be set to the path of a user's credentials (ticket) cache, usually in /tmp. klist(1) can be used to view the cache.

@0xdade great add! I may have run into those in a former life 😉 Sometimes I have to remember to check /etc/ssh/ssh_config in addition to the home directory ~/.ssh/config files.

@wvu-r7 holy smokes, TIL! Can't wait to hit a Windows machine with this.

Both ssh -L and -R can forward Unix sockets, too. Might be useful when performing SSH gymnastics.

Thank you, this is cool stuff.
There are quite a few operations defined in the agent-forwarding spec.

A particularly interesting one is using the agent to perform private key signing operations, without having access to the key itself.

Here is a simple POC that shows this in action

https://github.com/dandare100/agentstub

Wish I could react to gist comments. Thanks for the contribution!

@dandare100 TIL! Thank you for sharing that.

cool runnings