SSHenanigans! More than just a resteraunt with goofy shit on the wall and mozerella sticks.

• SSH Tunnels
  • Local forwards
  • Remote forwards
  • Dynamic Forwards
  • VPN aka the redheaded stepchild
• Tips n tricks

Realistically we only have 5 minutes so get with me after if something needs a bit more clarification Call bullshit if you hear bullshit and otherwise mock me

Host *
  ServerAliveInterval 30
  ServerAliveCountmax 5
  LogLevel QUIET
  IdentityFile ~/.ssh/zwned
  Compression yes
  User zwned
  ControlMaster auto
  ControlPath ~/.ssh/controlsocks/%r@%h:%p
  ControlPersist yes
  
Host VanHalen
  HostName 3.4.5.6
  Port 443

Host farmhouse
  HostName 1.2.3.4
  ProxyCommand ssh VanHalen -W %h:%p
  LocalForward 3333 127.0.0.1:3333

Host LetsGetPhysical
  HostName 5.4.3.2
  ProxyCommand ssh VanHalen -W %h:%p
  DynamicForward 1080
  ReverseForward 42022 127.0.0.1:22

Grab remote services down to your local machine

You're SSHd to a host with a database and you want to run your cool database app against the remote servers database

ssh -L local_ip:local_port:destination_ip:destination_port example.com

Examples:

ssh -L 0.0.0.0:5433:127.0.0.1:5432 example.com
ssh -L 1433:1.2.3.4:1433 example.com
ssh -L 192.168.1.37:8443:127.0.0.1:443 example.com

Shovel local services to your remote machines

You deploy a network dropbox and you want to ensure a remote host can ssh into the protected network

ssh -R local_ip:local_port:destination_ip:destination_port example.com

Examples:

ssh -R 22:127.0.0.1:42022 example.com
ssh -R 1.2.3.4:443:0.0.0.0:443 example.com

Create dynamic connections initiated from the remote host

You want to watch BBC4 but you dont live in the UK

ssh –D local_port

Example:

ssh -D 8080

Use in conjunction with any socks enabled tool:

• proxychains
• foxyproxy
• proxifier

Sit on the same network as the remote machine

Trying to perform limited layer 2 attacks against remote resources

ssh -w local_tuntap_number:remote_tuntap_number example.com

• see: https://help.ubuntu.com/community/SSH_VPN

• Tunnels in tunnels in tunnels in tunnels
• ControlMaster
• rc files
• authorized_keys

We need to go deeper:

• ProxyCommand (OG)

ssh -o ProxyCommand="ssh -W %h:%p jump_server" final_destination

• ProxyJump (NKOTB)

ssh -J jump_server final_destination
ssh -J jump_server1,jump_server2,jump_serverN final_destination

Tons of SSH tunnels takes a lot of overhead - ControlMaster sockets can help but not without introducing potential issues.

Rather than each new SSH conneciton to a server opening up a new TCP socket, you multiplex all of your SSH connections through one socket. The authentication happens once only. All subsequent connections are multiplexed with the existing ControlMaster socket.

If someone has read access to the socket ... they have access to your existing authenticated SSH connection. Set a timelimit on your ControlMaster sockets.

For those lacking gray hair/gray beard, rc stands for "run commands". If present on the client, the client will issue commands serially after authenticating to the server as long as no options override its execution:

• UseLogin is set
• PermitUserRC is set to no
• If ForceCommand is set
• no-user-rc is present in authorized_keys on the remote host for the current authentication

Can exist in the following locations:

• /etc/ssh/sshrc (global for all users)
• ~/.ssh/rc (evaluated on a per user basis)

• https://github.com/ivantsepp/ssh-slides
• The Black Magic of SSH / SSH Can Do That?
  • https://vimeo.com/54505525
• https://www.openssh.com/manual.html