Skip to content

SSH

Jump to bottom Edit New page
int0x80 edited this page Sep 28, 2016 · 8 revisions

Overview

I have set up a small test network of three Debian VMs and my attack VM.

  1. chicken (192.168.1.244)
  2. porkchop (192.168.1.243)
  3. steak (192.168.1.184)
  4. attackVM (192.168.1.134)

The steak VM has a web server with a simple PHP page that displays the visitor's IP address.

<html>
<body>
<p>Did you say steak?</p>
<p><?php echo $_SERVER['REMOTE_ADDR']; ?></p>
</body>
</html>

Direct

Browsing with no intermediary hops.

attackVM $ curl http://steak.test.ssh/steak.php
<html>
<body>
<p>Did you say steak?</p>
<p>192.168.1.134</p>
</body>
</html>

SOCKS Proxy

Hosts involved:

  • chicken (192.168.1.244)
  • attackVM (192.168.1.134)

This is simple utilization of the -D flag in the ssh client.

attackVM $ ssh -N -D 8282 [email protected]

Configure the browser in attackVM to use a SOCKS proxy on 127.0.0.1:8282 since we selected 8282 for our SOCKS listener via -D. Browse to steak and we'll see that our IP is now 192.168.1.244 meaning we've connected through chicken.

attackVM $ curl --socks5 127.0.0.1:8282 http://steak.test.ssh/steak.php
<html>
<body>
<p>Did you say steak?</p>
<p>192.168.1.244</p>
</body>
</html>

SSH Proxy + Tunnel

Hosts involved:

  • chicken (192.168.1.244)
  • porkchop (192.168.1.243)
  • attackVM (192.168.1.134)

Now I'm going to use chicken as a staging server which has access to an "internal" server, porkchop. We'll establish an SSH connection between chicken and porkchop, then forward the SOCKS port from the initial connection and use it to browse through porkchop from our attack VM.

attackVM $ ssh [email protected]
tuna@chicken:~$ ssh -N -D 8484 -p 4444 [email protected]

The SSH connection is now established between chicken and porkchop. Let's forward the SOCKS port 8484 to our attack VM.

attackVM $ ssh -N -L 127.0.0.1:44444:127.0.0.1:8484 [email protected]

Here we've forwarded the SOCKS listener on port 8484 of chicken to our local port 44444. Configure the browser in attackVM to use a SOCKS proxy on 127.0.0.1:44444 since we selected 44444 for forwarding our SOCKS listener via -L. Browse to steak and we'll see that our IP is now 192.168.1.243 meaning we've connected through porkchop.

attackVM $ curl --socks5 127.0.0.1:44444 http://steak.test.ssh/steak.php
<html>
<body>
<p>Did you say steak?</p>
<p>192.168.1.243</p>
</body>
</html>
Add a custom footer
Clone this wiki locally