SSH (22)

Pivoting

  • SSH Portforwarding:ssh -L <listenport>:<targetip>:<targetport> <user>@<remotehost>If you jump over multiple hosts, always use the listening IP aswell:ssh -L <listenip>:<listenport>:<targetip>:<targetport> <user>@<remotehost>
  • Reverse SSH Portforwarding:
    Note that if you use OpenSSH sshd server, the server’s GatewayPorts option needs to be enabled (set to yes or clientspecified – GatewayPorts yes) for this to work (check file /etc/ssh/sshd_config on the server). Otherwise (default value for this option is no), the server will always force port bound on the loopback interface only.
    • connect from local(attacker) to target:ssh -R <targetip>:<targetport>:<localhost>:<localport>
    • on target:telnet <targetip> <targetport>-> forwards to attacker machine on port
  • SSH Portforwading on Windows (https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/):
    • bind local port X on remote server Y port Z (reverse tunnel):plink.exe -R Z:127.0.0.1:X user@Y
  • UDP over SSH (https://superuser.com/questions/53103/udp-traffic-through-ssh-tunnel):
    • Establish SSH tunnel:ssh -N -L <tunnelport>:<serverip>:<tunnelport> <user>@<remotehost>
    • On the server:mkfifo /tmp/fifo nc -l -p <tunnelport> < /tmp/fifo | nc -u <targetip> <targetport> > /tmp/fifo
    • On the client:mkfifo /tmp/fifo nc -l -u -p <listenport/targetport> < /tmp/fifo | nc localhost <tunnelport> > /tmp/fifo
    • Connect client software to localhost:listenport
  • Control SSH socket:
    • Edit client configuration:echo "ControlPath /tmp/%r@%h:%p" >> /etc/ssh/ssh_config echo "ControlMaster auto" >> /etc/ssh/ssh_config echo "ControlPersist yes" >> /etc/ssh/ssh_config
    • Now connect to an existing socket:ssh -S /tmp/user@host:port %h