Skip to content

Instantly share code, notes, and snippets.

@zwned

zwned/SSHenanigans.md

Last active October 7, 2022 15:50
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save zwned/60600f4232496f38bbc3148875a97191 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save zwned/60600f4232496f38bbc3148875a97191 to your computer and use it in GitHub Desktop.
Download ZIP
SSHenanigans.md
Raw
SSHenanigans.md

SSHenanigans

SSHenanigans! More than just a resteraunt with goofy shit on the wall and mozerella sticks.

Overview

  • SSH Tunnels
    • Local forwards
    • Remote forwards
    • Dynamic Forwards
    • VPN aka the redheaded stepchild
  • Tips n tricks

Realistically we only have 5 minutes so get with me after if something needs a bit more clarification Call bullshit if you hear bullshit and otherwise mock me

Host *
  ServerAliveInterval 30
  ServerAliveCountmax 5
  LogLevel QUIET
  IdentityFile ~/.ssh/zwned
  Compression yes
  User zwned
  ControlMaster auto
  ControlPath ~/.ssh/controlsocks/%r@%h:%p
  ControlPersist yes
  
Host VanHalen
  HostName 3.4.5.6
  Port 443

Host farmhouse
  HostName 1.2.3.4
  ProxyCommand ssh VanHalen -W %h:%p
  LocalForward 3333 127.0.0.1:3333

Host LetsGetPhysical
  HostName 5.4.3.2
  ProxyCommand ssh VanHalen -W %h:%p
  DynamicForward 1080
  ReverseForward 42022 127.0.0.1:22

Local Forwards

Grab remote services down to your local machine

You're SSHd to a host with a database and you want to run your cool database app against the remote servers database

ssh -L local_ip:local_port:destination_ip:destination_port example.com

Examples:

ssh -L 0.0.0.0:5433:127.0.0.1:5432 example.com
ssh -L 1433:1.2.3.4:1433 example.com
ssh -L 192.168.1.37:8443:127.0.0.1:443 example.com

Remote Forwards

Shovel local services to your remote machines

You deploy a network dropbox and you want to ensure a remote host can ssh into the protected network

ssh -R local_ip:local_port:destination_ip:destination_port example.com

Examples:

ssh -R 22:127.0.0.1:42022 example.com
ssh -R 1.2.3.4:443:0.0.0.0:443 example.com

Dynamic Forwards

Create dynamic connections initiated from the remote host

You want to watch BBC4 but you dont live in the UK

ssh –D local_port

Example:

ssh -D 8080

VPN

Sit on the same network as the remote machine

Trying to perform limited layer 2 attacks against remote resources

ssh -w local_tuntap_number:remote_tuntap_number example.com

Tips n Trix

  • Tunnels in tunnels in tunnels in tunnels
  • ControlMaster
  • rc files
  • authorized_keys

Tunelception

We need to go deeper:

  • ProxyCommand (OG)
ssh -o ProxyCommand="ssh -W %h:%p jump_server" final_destination
  • ProxyJump (NKOTB)
ssh -J jump_server final_destination
ssh -J jump_server1,jump_server2,jump_serverN final_destination

ControlMaster

Tons of SSH tunnels takes a lot of overhead - ControlMaster sockets can help but not without introducing potential issues.

Rather than each new SSH conneciton to a server opening up a new TCP socket, you multiplex all of your SSH connections through one socket. The authentication happens once only. All subsequent connections are multiplexed with the existing ControlMaster socket.

If someone has read access to the socket ... they have access to your existing authenticated SSH connection. Set a timelimit on your ControlMaster sockets.

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment