SSH for Penetration Testing



SSH stands for Secure shell and works on Port 22 . As penetration testers we are aware of the uses and power of  on remote access of systems . During  SSH might come handy as a powerful tool .
This post will explain some of the techniques that can be used during a  .

Local Forwarding using SSH

Sometimes we come across scenarios where we need the services on the remote host accessible to the host via Local Network . Root is required .
ssh -L 127.0.0.1:10521:127.0.0.1:1521 user@192.168.1.10
~/.ssh/config:
LocalForward 127.0.0.1:10521 127.0.0.1:1521

Remote Forwarding using SSH 

Well this technique is complete opposite of the previous one . Remote forwarding on using SSH comes to rescue in those penetration testing scenarios where we need the services on a local machine / Local Network accessible to remote host via a remote listener . This might sound odd … why would I want my machine accessible on a remote host , but lets face it , we all need to expose a service that lets us download our .
For the practical information here is an example :
The SSH server will be able to access TCP port 80 on SSH client by connecting to 127.0.0.1:8000 on the SSH Server .
ssh -R 127.0.0.1:8000:127.0.0.1:80 192.168.1.10
~/.ssh/config:
RemoteForward 127.0.0.1:8000 127.0.0.1:80

SOCKS Proxy using SSH

Here we set up a SOCKS Proxy on 127.0.0.1:8000 that lets you pivot through the Remote Host 192.168.1.10
 ssh -D 127.0.0.1:8000 192.168.1.10
~/.ssh/config:
Host 192.168.1.10
DynamicForward 127.0.0.1:8000

X11 Forwarding using SSH 

If your SSH client is also an X-Server then you can launch X-clients (e.g. Firefox) inside your SSH session and display them on your X-Server.  This works well with from  X-Servers and from cygwin‘s X-server on Windows.
SSH -X 10.0.0.1
SSH -Y 10.0.0.1 # less secure alternative - but faster
~/.ssh/config:
ForwardX11 yes
ForwardX11Trusted yes # less secure alternative - but faster

SSH Authorized Keys : 

SSH stands for Secure Shell … well to be secure , its always advisable to use Keys for encrypting the SSH communication . This helps to avoid unwanted hosts to take advantage of the penetration test and keep the penetration testing secure .
That being said , it is a good practice to add an authorized_keys file that will allow you to log in using an SSH key .
Authorized_keys File : This file is present in the User’s Home Directory on the SSH server .  This file basically holds the public keys of the users allowed to login into that user account of SSH Server .
For this the first step is to Generate PUBLIC KEY / PRIVATE KEY pairs .
sh-keygen -f mysshkey
cat mykey.pub # to copy this to authorized_keys
To connect to the Remote host using the authorized key :
ssh -i mykey user@10.0.0.1
Some Cool SSH Configuration Tweeks
Finally here are some cool modifications you can do to your SSH Client system , this will make it easier to use other penetration testing tools that are using SSH .
Host 10.0.0.1
Port 2222
User ptm
ForwardX11 yes
DynamicForward 127.0.0.1:1080
RemoteForward 80 127.0.0.1:8000
LocalForward 1521 10.0.0.99:1521
#Please Share and Comment if you like this Post .