SSH for Penetration Testing
SSH stands for Secure shell and works on Port 22 . As penetration testers we are aware of the uses and power of SSH on remote access of systems . During Penetration testing SSH might come handy as a powerful tool .
This post will explain some of the techniques that can be used during a penetration test .
Local Forwarding using SSH
Sometimes we come across scenarios where we need the services on the remote host accessible to the host via Local Network . Root is required .
ssh -L 127.0.0.1:10521:127.0.0.1:1521 user@192.168.1.10
~/.ssh/config:
LocalForward 127.0.0.1:10521 127.0.0.1:1521
Remote Forwarding using SSH
Well this technique is complete opposite of the previous one . Remote forwarding on using SSH comes to rescue in those penetration testing scenarios where we need the services on a local machine / Local Network accessible to remote host via a remote listener . This might sound odd … why would I want my machine accessible on a remote host , but lets face it , we all need to expose a service that lets us download our penetration testing tools.
For the practical information here is an example :
The SSH server will be able to access TCP port 80 on SSH client by connecting to 127.0.0.1:8000 on the SSH Server .
ssh -R 127.0.0.1:8000:127.0.0.1:80 192.168.1.10
~/.ssh/config:
RemoteForward 127.0.0.1:8000 127.0.0.1:80
SOCKS Proxy using SSH
Here we set up a SOCKS Proxy on 127.0.0.1:8000 that lets you pivot through the Remote Host 192.168.1.10
ssh -D 127.0.0.1:8000 192.168.1.10
~/.ssh/config:
Host 192.168.1.10 DynamicForward 127.0.0.1:8000
X11 Forwarding using SSH
If your SSH client is also an X-Server then you can launch X-clients (e.g. Firefox) inside your SSH session and display them on your X-Server. This works well with from Linux X-Servers and from cygwin‘s X-server on Windows.
SSH -X 10.0.0.1 SSH -Y 10.0.0.1 # less secure alternative - but faster
~/.ssh/config:
ForwardX11 yes ForwardX11Trusted yes # less secure alternative - but faster
SSH Authorized Keys :
SSH stands for Secure Shell … well to be secure , its always advisable to use Keys for encrypting the SSH communication . This helps to avoid unwanted hosts to take advantage of the penetration test and keep the penetration testing secure .
That being said , it is a good practice to add an authorized_keys file that will allow you to log in using an SSH key .
Authorized_keys File : This file is present in the User’s Home Directory on the SSH server . This file basically holds the public keys of the users allowed to login into that user account of SSH Server .
For this the first step is to Generate PUBLIC KEY / PRIVATE KEY pairs .
sh-keygen -f mysshkey cat mykey.pub # to copy this to authorized_keys
To connect to the Remote host using the authorized key :
ssh -i mykey user@10.0.0.1
Some Cool SSH Configuration Tweeks
Finally here are some cool modifications you can do to your SSH Client system , this will make it easier to use other penetration testing tools that are using SSH .
Host 10.0.0.1 Port 2222 User ptm ForwardX11 yes DynamicForward 127.0.0.1:1080 RemoteForward 80 127.0.0.1:8000 LocalForward 1521 10.0.0.99:1521
#Please Share and Comment if you like this Post .