SSHenanigans! More than just a restaurant with goofy shit on the wall and mozerella sticks.
Realistically we only have 5 minutes so get with me after if something needs a bit more clarification Call bullshit if you hear bullshit and otherwise mock me
If you know something cool I didnt cover, awesome! Let me know!
What it is:
- Secure Network Protocol
- Implementation Utilities
What it provides:
- Secure File Transfer
- Remote System Management
- Tunneling
- X11 and Authentication Agent Forwarding
ssh [options] <destination> [command [args]]
Follow along:
ssh -t slides.tseivan.com join <SESSION_ID>
Host *
ServerAliveInterval 30
ServerAliveCountmax 5
LogLevel QUIET
IdentityFile ~/.ssh/zwned
Compression yes
User zwned
ControlMaster auto
ControlPath ~/.ssh/controlsocks/%r@%h:%p
ControlPersist yes
Host VanHalen
HostName 3.4.5.6
Port 443
Host farmhouse
HostName 1.2.3.4
ProxyCommand ssh VanHalen -W %h:%p
LocalForward 3333 127.0.0.1:3333
Host LetsGetPhysical
HostName 5.4.3.2
ProxyCommand ssh VanHalen -W %h:%p
DynamicForward 1080
ReverseForward 42022 127.0.0.1:22
Grab remote services down to your local machine
You're SSHd to a host with a database and you want to run your cool database app against the remote servers database
ssh -L [local_ip]:<local_port>:<destination_ip>:<destination_port> example.com [command]
Examples:
# Connect to example.com and expose remote postgres database to LAN
ssh -L 0.0.0.0:5433:127.0.0.1:5432 example.com
# Connect to example.com and bind remote MSSQL on 1.2.3.4 to 127.0.0.1:1433
ssh -L 1433:1.2.3.4:1433 example.com
# Connect to example.com and expose development HTTPS locally (192.168.1.37 on port 8443)
ssh -L 192.168.1.37:8443:127.0.0.1:443 example.com
Shovel local services to your remote machines
You deploy a network dropbox and you want to ensure a remote host can ssh into the protected network
ssh -R [local_ip]:<local_port>:<destination_ip>:<destination_port> example.com [command]
Examples:
# Bind local SSH service to remote host example.com port 42022 (listening locally)
ssh -R 22:127.0.0.1:42022 example.com
# 1.2.3.4:443 will now be reachable to any interface on example.com (port 443)
ssh -R 1.2.3.4:443:0.0.0.0:443 example.com
Create dynamic connections initiated from the remote host
You want to watch BBC4 but you dont live in the UK
ssh –D [local_ip]:<local_port> example.com [command]
Example:
# point local proxy tools to 127.0.0.1:8080
ssh -D 8080 example.com
Use in conjunction with any socks enabled tool:
- proxychains
- foxyproxy
- proxifier
Moar:
proxychains nmap -Pn -sT -p21,22,23,25,80,443 -v 1.2.3.4
zwned@remote:~$
zwned@remote:~$ ~?
Supported escape sequences:
~. - terminate connection (and any multiplexed sessions)
~B - send a BREAK to the remote system
~C - open a command line
~R - request rekey
~V/v - decrease/increase verbosity (LogLevel)
~^Z - suspend ssh
~# - list forwarded connections
~& - background ssh (when waiting for connections to terminate)
~? - this message
~~ - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)
<enter>
<enter>
~C
SSH> -L 8080:127.0.0.1:8080
SSH> -KD8088
Sit on the same network as the remote machine
Trying to perform limited layer 2 attacks against remote resources
ssh -w local_tuntap_number:remote_tuntap_number example.com
We need to go deeper:
- ProxyCommand (OG)
ssh -o ProxyCommand="ssh -W %h:%p jump_server" final_destination
- ProxyJump (NKOTB)
ssh -J jump_server final_destination
ssh -J jump_server1,jump_server2,jump_serverN final_destination
Tons of SSH tunnels takes a lot of overhead - ControlMaster sockets can help but not without introducing potential issues.
Rather than each new SSH conneciton to a server opening up a new TCP socket, you multiplex all of your SSH connections through one socket. The authentication happens once only. All subsequent connections are multiplexed with the existing ControlMaster socket.
If someone has read access to the socket ... they have access to your existing authenticated SSH connection. Set a timelimit on your ControlMaster sockets.
ControlMaster controlpath tokens:
%% A literal ‘%’.
%C Hash of %l%h%p%r.
%d Local user’s home directory.
%h The remote hostname.
%i The local user ID.
%L The local hostname.
%l The local hostname, including the domain name.
%n The original remote hostname, as given on the command line.
%p The remote port.
%r The remote username.
%T The local tun(4) or tap(4) network interface assigned
%u The local username.
For those lacking gray hair/gray beard, rc stands for "run commands". If present on the client, the client will issue commands serially after authenticating to the server as long as no options override its execution:
- UseLogin is set
- PermitUserRC is set to no
- If ForceCommand is set
- no-user-rc is present in authorized_keys on the remote host for the current authentication
Can exist in the following locations:
- /etc/ssh/sshrc (global for all users)
- ~/.ssh/rc (evaluated on a per user basis)
Host *
ServerAliveInterval 30
ServerAliveCountmax 5
LogLevel QUIET
IdentityFile ~/.ssh/zwned
Compression yes
User zwned
ControlMaster auto
ControlPath ~/.ssh/controlsocks/%r@%h:%p
ControlPersist yes
Host VanHalen
HostName 3.4.5.6
Port 443
Host farmhouse
HostName 1.2.3.4
ProxyCommand ssh VanHalen -W %h:%p
LocalForward 3333 127.0.0.1:3333
Host LetsGetPhysical
HostName 5.4.3.2
ProxyCommand ssh VanHalen -W %h:%p
DynamicForward 1080
ReverseForward 42022 127.0.0.1:22
- https://github.com/ivantsepp/ssh-slides
- The Black Magic of SSH / SSH Can Do That?
- https://www.openssh.com/manual.html