SSH for Penetration Testing

SSH stands for Secure shell and works on Port 22 . As penetration testers we are aware of the uses and power of SSH on remote access of systems . During Penetration testing SSH might come handy as a powerful tool .

This post will explain some of the techniques that can be used during a penetration test .

Local Forwarding using SSH

Sometimes we come across scenarios where we need the services on the remote host accessible to the host via Local Network . Root is required .

ssh -L 127.0.0.1:10521:127.0.0.1:1521 user@192.168.1.10

~/.ssh/config:

LocalForward 127.0.0.1:10521 127.0.0.1:1521

 

Remote Forwarding using SSH 

Well this technique is complete opposite of the previous one . Remote forwarding on using SSH comes to rescue in those penetration testing scenarios where we need the services on a local machine / Local Network accessible to remote host via a remote listener . This might sound odd … why would I want my machine accessible on a remote host , but lets face it , we all need to expose a service that lets us download our penetration testing tools.

For the practical information here is an example :

The SSH server will be able to access TCP port 80 on SSH client by connecting to 127.0.0.1:8000 on the SSH Server .

ssh -R 127.0.0.1:8000:127.0.0.1:80 192.168.1.10

~/.ssh/config:

RemoteForward 127.0.0.1:8000 127.0.0.1:80

 

SOCKS Proxy using SSH

Here we set up a SOCKS Proxy on 127.0.0.1:8000 that lets you pivot through the Remote Host 192.168.1.10

 ssh -D 127.0.0.1:8000 192.168.1.10

~/.ssh/config:

Host 192.168.1.10
DynamicForward 127.0.0.1:8000

 

X11 Forwarding using SSH 

If your SSH client is also an X-Server then you can launch X-clients (e.g. Firefox) inside your SSH session and display them on your X-Server.  This works well with from Linux X-Servers and from cygwin‘s X-server on Windows.

SSH -X 10.0.0.1
SSH -Y 10.0.0.1 # less secure alternative - but faster

~/.ssh/config:

ForwardX11 yes
ForwardX11Trusted yes # less secure alternative - but faster

 

 

SSH Authorized Keys : 

SSH stands for Secure Shell … well to be secure , its always advisable to use Keys for encrypting the SSH communication . This helps to avoid unwanted hosts to take advantage of the penetration test and keep the penetration testing secure .

That being said , it is a good practice to add an authorized_keys file that will allow you to log in using an SSH key .

Authorized_keys File : This file is present in the User’s Home Directory on the SSH server .  This file basically holds the public keys of the users allowed to login into that user account of SSH Server .

For this the first step is to Generate PUBLIC KEY / PRIVATE KEY pairs .

sh-keygen -f mysshkey
cat mykey.pub # to copy this to authorized_keys

To connect to the Remote host using the authorized key :

ssh -i mykey user@10.0.0.1

 

Some Cool SSH Configuration Tweeks

Finally here are some cool modifications you can do to your SSH Client system , this will make it easier to use other penetration testing tools that are using SSH .

 

Host 10.0.0.1
Port 2222
User ptm
ForwardX11 yes
DynamicForward 127.0.0.1:1080
RemoteForward 80 127.0.0.1:8000
LocalForward 1521 10.0.0.99:1521

 

#Please Share and Comment if you like this Post . 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s