zwned · October 7, 2022 15:50 · Oct 5, 2022 · Oct 5, 2022 · Oct 5, 2022 · Oct 5, 2022
diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -28,6 +28,10 @@ What it provides:
 * Tunneling
 * X11 and Authentication Agent Forwarding 
 
+```bash
+ssh [options] <destination> [command [args]]
+```
+
 Follow along:
 
 ```bash

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -210,6 +210,8 @@ Rather than each new SSH conneciton to a server opening up a new TCP socket, you
 
 If someone has read access to the socket ... they have access to your existing **authenticated** SSH connection. Set a timelimit on your ControlMaster sockets.
 
+ControlMaster controlpath tokens:
+
 ```bash
 %%	A literal ‘%’.
 %C	Hash of %l%h%p%r.

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -221,7 +221,7 @@ If someone has read access to the socket ... they have access to your existing *
 %n	The original remote hostname, as given on the command line.
 %p	The remote port.
 %r	The remote username.
-%T	The local tun(4) or tap(4) network interface assigned if tunnel forwarding was requested, or “NONE” otherwise.
+%T	The local tun(4) or tap(4) network interface assigned
 %u	The local username.
 ```
 

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -210,6 +210,21 @@ Rather than each new SSH conneciton to a server opening up a new TCP socket, you
 
 If someone has read access to the socket ... they have access to your existing **authenticated** SSH connection. Set a timelimit on your ControlMaster sockets.
 
+```bash
+%%	A literal ‘%’.
+%C	Hash of %l%h%p%r.
+%d	Local user’s home directory.
+%h	The remote hostname.
+%i	The local user ID.
+%L	The local hostname.
+%l	The local hostname, including the domain name.
+%n	The original remote hostname, as given on the command line.
+%p	The remote port.
+%r	The remote username.
+%T	The local tun(4) or tap(4) network interface assigned if tunnel forwarding was requested, or “NONE” otherwise.
+%u	The local username.
+```
+
 ---
 
 # RC files

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -1,7 +1,7 @@
 SSHenanigans
 =============
 
-SSHenanigans! More than just a resteraunt with goofy shit on the wall and mozerella sticks.
+SSHenanigans! More than just a restaurant with goofy shit on the wall and mozerella sticks.
 
 ---
 
@@ -31,7 +31,7 @@ What it provides:
 Follow along:
 
 ```bash
-ssh -t ssh -t slides.tseivan.com join <SESSION_ID>
+ssh -t slides.tseivan.com join <SESSION_ID>
 ```
 
 ---

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -137,6 +137,11 @@ Use in conjunction with any socks enabled tool:
 * foxyproxy
 * proxifier
 
+Moar:
+```bash
+proxychains nmap -Pn -sT -p21,22,23,25,80,443 -v 1.2.3.4
+```
+
 ---
 
 # ~?

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -129,7 +129,7 @@ Example:
 
 ```bash
 # point local proxy tools to 127.0.0.1:8080
-ssh -D 8080
+ssh -D 8080 example.com
 ```
 
 Use in conjunction with any socks enabled tool:

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -75,7 +75,7 @@ Grab remote services down to your local machine
 > You're SSHd to a host with a database and you want to run your cool database app against the remote servers database
 
 ```bash
-ssh -L [local_ip]:<local_port>:<destination_ip>:<destination_port> example.com
+ssh -L [local_ip]:<local_port>:<destination_ip>:<destination_port> example.com [command]
 ```
 
 Examples:
@@ -101,7 +101,7 @@ Shovel local services to your remote machines
 > You deploy a network dropbox and you want to ensure a remote host can ssh into the protected network
 
 ```bash
-ssh -R [local_ip]:<local_port>:<destination_ip>:<destination_port> example.com
+ssh -R [local_ip]:<local_port>:<destination_ip>:<destination_port> example.com [command]
 ```
 
 Examples:
@@ -122,7 +122,7 @@ Create dynamic connections initiated from the remote host
 > You want to watch BBC4 but you dont live in the UK
 
 ```bash
-ssh –D [local_ip]:<local_port>
+ssh –D [local_ip]:<local_port> example.com [command]
 ```
 
 Example:

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -28,6 +28,8 @@ What it provides:
 * Tunneling
 * X11 and Authentication Agent Forwarding 
 
+Follow along:
+
 ```bash
 ssh -t ssh -t slides.tseivan.com join <SESSION_ID>
 ```

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -16,9 +16,13 @@ SSHenanigans! More than just a resteraunt with goofy shit on the wall and mozere
 
 # WTF is SSH?
 
+What it is:
+
 * Secure Network Protocol
 * Implementation Utilities
 
+What it provides:
+
 * Secure File Transfer
 * Remote System Management
 * Tunneling

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -14,6 +14,22 @@ SSHenanigans! More than just a resteraunt with goofy shit on the wall and mozere
 
 ---
 
+# WTF is SSH?
+
+* Secure Network Protocol
+* Implementation Utilities
+
+* Secure File Transfer
+* Remote System Management
+* Tunneling
+* X11 and Authentication Agent Forwarding 
+
+```bash
+ssh -t ssh -t slides.tseivan.com join <SESSION_ID>
+```
+
+---
+
 # Example SSH client configuration
 
 ```bash
@@ -200,6 +216,8 @@ Can exist in the following locations:
 
 ---
 
+# Example SSH client configuration
+
 ```bash
 Host *
   ServerAliveInterval 30

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -7,16 +7,11 @@ SSHenanigans! More than just a resteraunt with goofy shit on the wall and mozere
 
 # Overview
 
-* SSH Tunnels
-  * Local forwards
-  * Remote forwards
-  * Dynamic Forwards
-  * VPN aka the redheaded stepchild
-* Tips n tricks
-
 > Realistically we only have 5 minutes so get with me after if something needs a bit more clarification
 > Call bullshit if you hear bullshit and otherwise mock me
 
+> If you know something cool I didnt cover, awesome! Let me know!
+
 ---
 
 # Example SSH client configuration
@@ -165,15 +160,6 @@ ssh -w local_tuntap_number:remote_tuntap_number example.com
 
 ---
 
-# Tips n Trix
-
-* Tunnels in tunnels in tunnels in tunnels
-* ControlMaster
-* rc files
-* authorized_keys
-
----
-
 # Tunelception
 
 We need to go deeper:

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -140,6 +140,14 @@ Supported escape sequences:
  ~~   - send the escape character by typing it twice
 (Note that escapes are only recognized immediately after newline.)
  ```
+
+ ```bash
+ <enter>
+ <enter>
+ ~C
+ SSH> -L 8080:127.0.0.1:8080
+ SSH> -KD8088
+ ```
 
 ---
 

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -58,7 +58,7 @@ Grab remote services down to your local machine
 > You're SSHd to a host with a database and you want to run your cool database app against the remote servers database
 
 ```bash
-ssh -L local_ip:local_port:destination_ip:destination_port example.com
+ssh -L [local_ip]:<local_port>:<destination_ip>:<destination_port> example.com
 ```
 
 Examples:
@@ -84,7 +84,7 @@ Shovel local services to your remote machines
 > You deploy a network dropbox and you want to ensure a remote host can ssh into the protected network
 
 ```bash
-ssh -R local_ip:local_port:destination_ip:destination_port example.com
+ssh -R [local_ip]:<local_port>:<destination_ip>:<destination_port> example.com
 ```
 
 Examples:
@@ -105,7 +105,7 @@ Create dynamic connections initiated from the remote host
 > You want to watch BBC4 but you dont live in the UK
 
 ```bash
-ssh –D local_port
+ssh –D [local_ip]:<local_port>
 ```
 
 Example:

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -206,9 +206,33 @@ Can exist in the following locations:
 
 ---
 
-# authorized_keys
+```bash
+Host *
+  ServerAliveInterval 30
+  ServerAliveCountmax 5
+  LogLevel QUIET
+  IdentityFile ~/.ssh/zwned
+  Compression yes
+  User zwned
+  ControlMaster auto
+  ControlPath ~/.ssh/controlsocks/%r@%h:%p
+  ControlPersist yes
+
+Host VanHalen
+  HostName 3.4.5.6
+  Port 443
 
+Host farmhouse
+  HostName 1.2.3.4
+  ProxyCommand ssh VanHalen -W %h:%p
+  LocalForward 3333 127.0.0.1:3333
 
+Host LetsGetPhysical
+  HostName 5.4.3.2
+  ProxyCommand ssh VanHalen -W %h:%p
+  DynamicForward 1080
+  ReverseForward 42022 127.0.0.1:22
+```
 
 ---
 

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -64,13 +64,13 @@ ssh -L local_ip:local_port:destination_ip:destination_port example.com
 Examples:
 
 ```bash
-# 
+# Connect to example.com and expose remote postgres database to LAN
 ssh -L 0.0.0.0:5433:127.0.0.1:5432 example.com
 
-#
+# Connect to example.com and bind remote MSSQL on 1.2.3.4 to 127.0.0.1:1433
 ssh -L 1433:1.2.3.4:1433 example.com
 
-#
+# Connect to example.com and expose development HTTPS locally (192.168.1.37 on port 8443)
 ssh -L 192.168.1.37:8443:127.0.0.1:443 example.com
 ```
 
@@ -90,10 +90,10 @@ ssh -R local_ip:local_port:destination_ip:destination_port example.com
 Examples:
 
 ```bash
-#
+# Bind local SSH service to remote host example.com port 42022 (listening locally)
 ssh -R 22:127.0.0.1:42022 example.com
 
-#
+# 1.2.3.4:443 will now be reachable to any interface on example.com (port 443)
 ssh -R 1.2.3.4:443:0.0.0.0:443 example.com
 ```
 ---
@@ -111,6 +111,7 @@ ssh –D local_port
 Example:
 
 ```bash
+# point local proxy tools to 127.0.0.1:8080
 ssh -D 8080
 ```
 
@@ -121,6 +122,27 @@ Use in conjunction with any socks enabled tool:
 
 ---
 
+# ~?
+
+```bash
+zwned@remote:~$
+zwned@remote:~$ ~?
+Supported escape sequences:
+ ~.   - terminate connection (and any multiplexed sessions)
+ ~B   - send a BREAK to the remote system
+ ~C   - open a command line
+ ~R   - request rekey
+ ~V/v - decrease/increase verbosity (LogLevel)
+ ~^Z  - suspend ssh
+ ~#   - list forwarded connections
+ ~&   - background ssh (when waiting for connections to terminate)
+ ~?   - this message
+ ~~   - send the escape character by typing it twice
+(Note that escapes are only recognized immediately after newline.)
+ ```
+
+---
+
 # VPN
 
 Sit on the same network as the remote machine

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -64,8 +64,13 @@ ssh -L local_ip:local_port:destination_ip:destination_port example.com
 Examples:
 
 ```bash
+# 
 ssh -L 0.0.0.0:5433:127.0.0.1:5432 example.com
+
+#
 ssh -L 1433:1.2.3.4:1433 example.com
+
+#
 ssh -L 192.168.1.37:8443:127.0.0.1:443 example.com
 ```
 
@@ -85,7 +90,10 @@ ssh -R local_ip:local_port:destination_ip:destination_port example.com
 Examples:
 
 ```bash
+#
 ssh -R 22:127.0.0.1:42022 example.com
+
+#
 ssh -R 1.2.3.4:443:0.0.0.0:443 example.com
 ```
 ---

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -19,6 +19,8 @@ SSHenanigans! More than just a resteraunt with goofy shit on the wall and mozere
 
 ---
 
+# Example SSH client configuration
+
 ```bash
 Host *
   ServerAliveInterval 30

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -182,4 +182,7 @@ Can exist in the following locations:
 
 # References
 
-* https://github.com/ivantsepp/ssh-slides
+* https://github.com/ivantsepp/ssh-slides
+* The Black Magic of SSH / SSH Can Do That?
+  * https://vimeo.com/54505525
+* https://www.openssh.com/manual.html
diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -157,6 +157,26 @@ Rather than each new SSH conneciton to a server opening up a new TCP socket, you
 
 If someone has read access to the socket ... they have access to your existing **authenticated** SSH connection. Set a timelimit on your ControlMaster sockets.
 
+---
+
+# RC files
+
+For those lacking gray hair/gray beard, rc stands for "run commands". If present on the client, the client will issue commands serially after authenticating to the server as long as no options override its execution:
+
+* UseLogin is set
+* PermitUserRC is set to no
+* If ForceCommand is set
+* no-user-rc is present in authorized_keys on the remote host for the current authentication
+
+Can exist in the following locations:
+* /etc/ssh/sshrc (global for all users)
+* ~/.ssh/rc (evaluated on a per user basis)
+
+---
+
+# authorized_keys
+
+
 
 ---
 

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -103,6 +103,12 @@ Example:
 ```bash
 ssh -D 8080
 ```
+
+Use in conjunction with any socks enabled tool:
+* proxychains
+* foxyproxy
+* proxifier
+
 ---
 
 # VPN

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -18,6 +18,7 @@ SSHenanigans! More than just a resteraunt with goofy shit on the wall and mozere
 > Call bullshit if you hear bullshit and otherwise mock me
 
 ---
+
 ```bash
 Host *
   ServerAliveInterval 30
@@ -45,6 +46,7 @@ Host LetsGetPhysical
   DynamicForward 1080
   ReverseForward 42022 127.0.0.1:22
 ```
+
 ---
 
 # Local Forwards

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -18,7 +18,7 @@ SSHenanigans! More than just a resteraunt with goofy shit on the wall and mozere
 > Call bullshit if you hear bullshit and otherwise mock me
 
 ---
-
+```bash
 Host *
   ServerAliveInterval 30
   ServerAliveCountmax 5
@@ -44,7 +44,7 @@ Host LetsGetPhysical
   ProxyCommand ssh VanHalen -W %h:%p
   DynamicForward 1080
   ReverseForward 42022 127.0.0.1:22
-  
+```
 ---
 
 # Local Forwards

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -27,7 +27,8 @@ Host *
   Compression yes
   User zwned
   ControlMaster auto
-  ControlPath ~/.ssh/controlsocks/%h_%p
+  ControlPath ~/.ssh/controlsocks/%r@%h:%p
+  ControlPersist yes
 
 Host VanHalen
   HostName 3.4.5.6
@@ -122,7 +123,6 @@ ssh -w local_tuntap_number:remote_tuntap_number example.com
 * ControlMaster
 * rc files
 * authorized_keys
-* ssh config
 
 ---
 
@@ -139,6 +139,16 @@ ssh -o ProxyCommand="ssh -W %h:%p jump_server" final_destination
 ssh -J jump_server final_destination
 ssh -J jump_server1,jump_server2,jump_serverN final_destination
 ```
+---
+
+# ControlMaster
+
+Tons of SSH tunnels takes a lot of overhead - ControlMaster sockets can help but not without introducing potential issues.
+
+Rather than each new SSH conneciton to a server opening up a new TCP socket, you multiplex all of your SSH connections through one socket. The authentication happens once only. All subsequent connections are multiplexed with the existing ControlMaster socket.
+
+If someone has read access to the socket ... they have access to your existing **authenticated** SSH connection. Set a timelimit on your ControlMaster sockets.
+
 
 ---
 

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -7,17 +7,45 @@ SSHenanigans! More than just a resteraunt with goofy shit on the wall and mozere
 
 # Overview
 
-* Local forwards
-* Remote forwards
-* Dynamic Forwards
-* VPN?
-* Tips 'n' trix
+* SSH Tunnels
+  * Local forwards
+  * Remote forwards
+  * Dynamic Forwards
+  * VPN aka the redheaded stepchild
+* Tips n tricks
 
 > Realistically we only have 5 minutes so get with me after if something needs a bit more clarification
 > Call bullshit if you hear bullshit and otherwise mock me
 
 ---
 
+Host *
+  ServerAliveInterval 30
+  ServerAliveCountmax 5
+  LogLevel QUIET
+  IdentityFile ~/.ssh/zwned
+  Compression yes
+  User zwned
+  ControlMaster auto
+  ControlPath ~/.ssh/controlsocks/%h_%p
+
+Host VanHalen
+  HostName 3.4.5.6
+  Port 443
+
+Host farmhouse
+  HostName 1.2.3.4
+  ProxyCommand ssh VanHalen -W %h:%p
+  LocalForward 3333 127.0.0.1:3333
+
+Host LetsGetPhysical
+  HostName 5.4.3.2
+  ProxyCommand ssh VanHalen -W %h:%p
+  DynamicForward 1080
+  ReverseForward 42022 127.0.0.1:22
+
+---
+
 # Local Forwards
 
 Grab remote services down to your local machine
@@ -76,6 +104,16 @@ ssh -D 8080
 
 # VPN
 
+Sit on the same network as the remote machine
+
+> Trying to perform **limited** layer 2 attacks against remote resources
+
+```bash
+ssh -w local_tuntap_number:remote_tuntap_number example.com
+```
+
+* see: https://help.ubuntu.com/community/SSH_VPN
+
 ---
 
 # Tips n Trix
@@ -93,8 +131,14 @@ ssh -D 8080
 We need to go deeper:
 
 * ProxyCommand (OG)
+```bash
+ssh -o ProxyCommand="ssh -W %h:%p jump_server" final_destination
+```
 * ProxyJump (NKOTB)
-* SSH Config
+```bash
+ssh -J jump_server final_destination
+ssh -J jump_server1,jump_server2,jump_serverN final_destination
+```
 
 ---
 

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -22,12 +22,14 @@ SSHenanigans! More than just a resteraunt with goofy shit on the wall and mozere
 
 Grab remote services down to your local machine
 
-> ex: You're SSHd to a host with a database and you want to run your cool database app against the remote servers database
+> You're SSHd to a host with a database and you want to run your cool database app against the remote servers database
 
 ```bash
 ssh -L local_ip:local_port:destination_ip:destination_port example.com
 ```
 
+Examples:
+
 ```bash
 ssh -L 0.0.0.0:5433:127.0.0.1:5432 example.com
 ssh -L 1433:1.2.3.4:1433 example.com
@@ -41,12 +43,14 @@ ssh -L 192.168.1.37:8443:127.0.0.1:443 example.com
 
 Shovel local services to your remote machines
 
-> ex: You deploy a network dropbox and you want to ensure a remote host can ssh into the protected network
+> You deploy a network dropbox and you want to ensure a remote host can ssh into the protected network
 
 ```bash
 ssh -R local_ip:local_port:destination_ip:destination_port example.com
 ```
 
+Examples:
+
 ```bash
 ssh -R 22:127.0.0.1:42022 example.com
 ssh -R 1.2.3.4:443:0.0.0.0:443 example.com
@@ -63,6 +67,8 @@ Create dynamic connections initiated from the remote host
 ssh –D local_port
 ```
 
+Example:
+
 ```bash
 ssh -D 8080
 ```

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -13,7 +13,8 @@ SSHenanigans! More than just a resteraunt with goofy shit on the wall and mozere
 * VPN?
 * Tips 'n' trix
 
-> Realistically we only have 5 minutes so get with me after if something needs a bit more clarification. Call bullshit if you hear bullshit and otherwise mock me
+> Realistically we only have 5 minutes so get with me after if something needs a bit more clarification
+> Call bullshit if you hear bullshit and otherwise mock me
 
 ---
 

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -13,7 +13,7 @@ SSHenanigans! More than just a resteraunt with goofy shit on the wall and mozere
 * VPN?
 * Tips 'n' trix
 
-> Realistically we only have 5 minutes so get with me after if something needs a bit more clarification
+> Realistically we only have 5 minutes so get with me after if something needs a bit more clarification. Call bullshit if you hear bullshit and otherwise mock me
 
 ---
 

diff --git a/SSHenanigans.md b/SSHenanigans.md
@@ -27,14 +27,11 @@ Grab remote services down to your local machine
 ssh -L local_ip:local_port:destination_ip:destination_port example.com
 ```
 
-
-               -L 5433:127.0.0.1:5432
-             ◄────────────────────────
-  ┌──────────┐                        ┌────────┐
-  │ attacker ├──────────────────────► │database│
-  └──────────┘    SSH                 └────────┘
-
-
+```bash
+ssh -L 0.0.0.0:5433:127.0.0.1:5432 example.com
+ssh -L 1433:1.2.3.4:1433 example.com
+ssh -L 192.168.1.37:8443:127.0.0.1:443 example.com
+```
 
 
 ---
@@ -43,10 +40,31 @@ ssh -L local_ip:local_port:destination_ip:destination_port example.com
 
 Shovel local services to your remote machines
 
+> ex: You deploy a network dropbox and you want to ensure a remote host can ssh into the protected network
+
+```bash
+ssh -R local_ip:local_port:destination_ip:destination_port example.com
+```
+
+```bash
+ssh -R 22:127.0.0.1:42022 example.com
+ssh -R 1.2.3.4:443:0.0.0.0:443 example.com
+```
 ---
 
 # Dynamic Forwards
 
+Create dynamic connections initiated from the remote host
+
+> You want to watch BBC4 but you dont live in the UK
+
+```bash
+ssh –D local_port
+```
+
+```bash
+ssh -D 8080
+```
 ---
 
 # VPN
No results found