 Great SSH shenanigans This talk is going to be about all of the cool offensively focused things you can do with SSH if you are a Red team or a pentester and you don't have SSH in your toolbox already Hopefully you'll see why you should have it in your toolbox and all the cool fun things you can do with that If you're advanced you've already been using SSH. Hopefully there's a Tip or a trick or two that you can pick up here as we go through all this So what how is this talk gonna be? How's this talk gonna go? We're gonna start off with the basics because you have to start at the beginning then we're gonna start Looking at all the interesting thing you can interesting things you can do with port forwards How you can use those to get past firewalls hide your traffic? Make it look like you're accessing systems from other systems and a bunch of cool things Next we'll look at the configurations. So fun with the configs SSH has a bunch of different ways you can modify its behavior and make it do things that users are probably not intending Leaks a bunch of information about what users are accessing How they're accessing them where they're accessing them? Etc. And then last we will lastly we'll look at stealing creds. So SSH as we'll see has access to credential material And we would like to get access to that and we will show a couple different successful strategies in doing so First who am I my name is Evan. I'm also syndrome on Twitter. I Am the director of offense at a company called Grand Dory I'm Kind of I've been ready forever. I'm in the CTFs. I do ccc all that kind of stuff. So check check me out Let's get into it. So the basics What starting off? What is SSH? So SSH stands for secure shell It is a replacement for the original plain text protocols of telnet and rsh Which we'll both use to get shell access onto UNIX systems and administer those remotely SSH can be used to refer to both the Damon and the client So you will hear someone say SSH to that box That means that they use the SSH client to connect to a server that was running the SSH Damon Logged into it that way got a prompt and did whatever The most common versions of SSH that you're going to run into our open SSH Open SSH runs on pretty much everything now And there are a few other ones that will go over server and client coming up Like I said, it's just a remotely administer systems. You can upload and download files. You can run commands on the shell Etc. And then SSH also provides encrypted channels Which are little tunnels that you can make in the SSH session It'll let you do port forwarding. We'll see here in minute X11 forwarding and Like get get your shell So why is SSH useful for an attacker Really SSH should be can be thought of as a Swiss army knife for red teams This lets me accomplish anything I need to do with a system if I can get SSH access so I can Download files. I can upload files. I can run commands. I can maintain access to a system. I Can configure the system such that it does things differently than the user's expecting I Can get credentials out of it all of the things that I need to be able to do to Get systems and get into systems and pivot around inside a network and it's all encrypted by default for me So the common SSH clients and tools that you'll run into Like I said on most UNIX is the common SSH implementation is open SSH On embedded systems, sometimes you'll run into drop bear Which is just like a very small implementation of SSH and just the difference here is some of the functionality might not That we go over here might not work in open SSH or in excuse me in drop bear or some of the other SSH servers There's actually just SSH comm has an SSH server and there's a few different ones But most of time you're going to run into SSH and most of the stock is geared towards that On Windows you can obviously drop into WSL WSL to and then you're just at a Linux prompt So you'll have the SSH client There's a GUI that's called putty which is From way back when and then there's Plink which is the CLI implementation that uses the same SSH stuff under the hood that putty's using And additionally on Windows 10 after 1809 Open SSH is available in the Windows app store. So you can get the SSH server and the SSH client And then lastly another tool that's super common that we're going to take a look at a little bit here is Paramiko which is a Python library that implements the entire protocol the entire SSH protocol both client and server In Python super useful for being able to write scripts to do Either like log into systems for you and do stuff or as we'll see later Make a server Another reason SSH is super useful here. It's really simple to enumerate so By default SSH is port 22 That's the port that it has registered. You can move it to different ports, but All of the servers if they're installed just by like with the app or whatever is SSH Here you can just use net cat and just grab the banner Really simple banner up front. It tells you that it's SSH 2.0 is the protocol of SSH that it's speaking the version as you can see this is an open SSH server 8.31 and then it's running on a Debian system. So just with net cat I can tell what Version of SSH is installed what or what version of SSH protocol the SSH Damon speaks What version of SSH is installed and the operating system? There's even more stuff that you can figure out. So with net Nmap or a bunch of other there's a bunch of other tools that can do this, but Lots of people not use Nmap When you run the discover discovery scripts, it will do that banner grab for you And it will also enumerate all the algorithms that the SSH is using so SSH is a pretty old protocol there You'll run into systems that have older more insecure algorithms and potentially vulnerable SSH versions So there are some versions of SSH that are vulnerable to user enumeration and command injection and all sorts of stuff. So That it is so easy to enumerate is pretty nice So continuing on with the basics here just running a command on the remote system. There's two strategies here Essentially the first is I'm going to connect to the remote system and request a interactive shell. So The first command is just SSH that's going to launch the command line Bob at and then the IP address is 10.10.10.10 So that's saying log in to 10.10.10.10 as the user Bob I cut out some stuff here It'll prompt you for a password and then you can just run commands Interactively like you're sitting at a console on that system. So here you can see you can run the command who am I and you see that You're Bob The other way you do this is to run a single command at a time So I say SSH Bob at 10.10.10.10 who am I it says Bob This is super useful if the system is being actively defended So say one of the blue team or someone is actually on the system watching for connections and seeing who's logged in This they'd have to catch that and run that command while the who it who am I command is running or whatever command you want to run This is just an example But they'd have to actually see that to see that you're logged in You will this will still show up and last and in all of the logs and everything But if someone's just sitting there trying to see if someone's actually logged in and watching for SSH processes to Start this will let you have a little race where you can run your command. Hopefully before they actually catch you Doing whatever the thing is that you want to do I Consider earlier you can use SSH to copy files So I can copy a file from my system to the remote system or I can copy a file from the remote system to my system There's two ways to actually do this the first one that I've laid out here is SCP So secure copy And in the first the first example here, I'm going to upload a file from my computer to the remote system So what that looks like is I do SCP the file that I want to copy up And then I'm just like before we saw I'm going to do the username at That system and then I'm going to give it the path that I want to copy it to So here I want to say in the user's home directory in the bin folder Name my file not malware So I'm going to copy my malware up there and hopefully they won't catch it because I called it not malware And that is super secret and they will totally never be able to figure that out Next say I want to download a file from their remote system So I've been looking around and I see that there is this Etsy secret sauce that I'd like to get From my local system Just like before its source and destination But I want the source now to be the file on the remote system and then the destination to be the file on my system So scp bob At the remote system the path that the file is at so here it's Etsy secret sauce And then finally the my loop folder. So every good Hacker kid should have a loop folder and I'm going to copy that secret sauce into that folder Additionally with scp I can Recursively copy so say I just want to grab everything in that secret folder. I don't know what it is I'll look at it later I'm going to go ahead and use the minus r for recursive Flag here to scp. So scp minus r bob at 10 dot 10 dot 10 dot 10 The Etsy secret folder down into my loop folder The next way you can copy files is with the sf tp command. So this is secure ftp Uh, this is actually a completely different implement or different Part of the protocol to copy those files scp and sf tp while they accomplish the same thing are actually doing different stuff under the hood But functionally it's the same and if you're familiar with ftp, hopefully this makes sense You sf tp as bob to 10 dot 10 dot 10 dot 10 And then the first command I want to download a file. So I get that file I say get from slash secret sauce to my loot folder secret sauce Um, and then next example, I want to upload a upload a file. So sf tp bob at 10 dot 10 dot 10 dot 10 I'm going to put from my artifacts folder the malware. I'm just going to put it into not malware Once again, super secret. No one will ever catch that. Totally not malware. I don't look at it. It's fine Uh, and similar to scp sf tp has a recursive option for the get command So get minus r slash temp secret from the remote side So say that's a folder and then I'm just going to download it into my temp folder until I can figure out what to do with it Uh, and you can see Uh, what happened there? So, uh, kind of the basics there s ssh lets you Log into a remote system get a shell on that system if you want you can Run commands singularly so you don't even have an interactive session. So it's a lot harder to find You can copy files down you can copy or you can download files. You can upload files Even that just alone is super useful to An attacker just in and of itself, but let's go ahead and move on forward to Fun with port forwards and we'll see kind of the more advanced stuff you can do and how you can use this ssh in your tool belt to get around common firewall setups and that kind of kind of thing So first here, we're going to do look at local forwarding So in this scenario, I have access to the 10.10.10.10 system. Hopefully that was enough tens And I happen to know that that is sitting on a boundary. So here in this This slide I'm showing you that I have this box which I'm going to call my jump box. So 10.10.10 Or you'll also hear this called a bounce node and I'll probably go back and forth But I happen to know that this is sitting on a like a security boundary here And there are other systems back in here that I'd like to get access to I can use ssh to forward ports from my system through that system Look at a look a little bit like this. So I'll have Port 8080 on my local system will jump through that 10.10.10.10 system and then point at one of the systems on the other side All of that will go over the ssh tunnel So that traffic is encrypted from My laptop here to this system and then it comes out of here And we'll wind up over on looking at this system What that looks like on the command line is you use the minus capital l for local forward And you want to tell it the port on your system that you want to listen on The host that you want that connection to go to on the far side And the host port on the far side that you would like to go to So in practice what this looks like is ssh minus capital l. I want to listen on my host on port 8080 on my laptop I want that traffic when I go to port 8080 to go out the other side To 192 168 1.10 on port 80 So say there's a web server on that system that i'm trying to get access to And then i'm logging in as bob to that that bounce node 10.10.10.10 I should have done different ip addresses And then interestingly here i'm going to give it minus n So that tells it not to request a shell and then i'm going to background it What that does is now I have 8080 listening. I can now go on to my next command I didn't request a shell on the remote system So once again if there's a defender watching that system trying to see like run a who Or see who's logged into it all they'll actually see is that there's an ssh d process It doesn't actually spawn a shell or anything and then if they're really on the ball They'll look at net stat and see the network connection But most of the time they just won't realize that there's somebody logged in and then Like I said, that's backgrounded so on my local system now I can point curl at local host on port 8080 And so there's a http server there that happens to be serving a file called secret that I need to get And I I get it and it looks like I won Uh, that's super fun and all being able to do a local forward But I don't want to do that one by one by one through all these systems on this network Uh, thankfully ssh was nice enough to think of the this the the kind developers of open ssh They implemented this thing called dynamic port forwarding So what this does is this lets me Open up on my system a port that will forward over that ssh tunnel Uh, either socks four or socks five proxy And then I'm essentially using that ssh server as a proxy server And I can get to any of the systems behind that network as long as whatever I'm using speaks that ssh protocol So if I point my if I use this proxy port Then I can get proxy that through this system And just get to any of the systems that are behind here in the the way this kind of basic network example is laid out Uh, and Um, kind of counter-intuitively here. It's actually easier to do this than the just singular local forward So at least on the ssh side, so Um, all I'm doing here is minus capital D for dynamic and that does a dynamic forward I'm telling it port 1080. It's common socks port Um, and then same thing bob at 10.10.10.10 I think I got that right this time And super nice and easy once I run that command I've successfully logged in I now have Uh proxy server I've turned that ssh system into a proxy server So what I can do with that is I can point a web browser at that proxy server So for instance here firefox Some firefox you go preferences network settings manual manual proxy comp here and then or click the manual proxy comp button and then do um Sox host and here I've picked sox 5 and then I just tell it my port 1080 Now anything my browser tries to go to is going to forward over that sox proxy and come out in that other network Um, additionally you can use I like to use proxy chains There's actually a couple different tools to do this but proxy chains is the one that I know how to use so it's pretty easy for me is um, you can use proxy chains here and you just configure it to tell it where the proxy host is and then um, you use the command proxy chains here I'm just going to drop in a bash and what proxy chains does is it hijacks the The libc calls to socket Operations and then forwards them over that Uh for tcp operations forwards them over that sox protocol speaks the sox protocol and then forwards the traffic over So anything in that bash bash session gets forwarded over that proxy You can do one-off commands, but I like to drop in a bash here a lot because you can do curl and a bunch other um nmap and netcat and all that kind of stuff if to use the right options because nmap needs to be on layer two sometimes but um, depending on how you're trying to scan but for tcp scans, uh, super useful and So you've essentially just used that ssh host to bounce Uh into that network that you probably didn't have access to necessarily But thankfully just to think thankfully you had access to that one ssh host and you got in um The next way you can port forward is kind of the opposite of the local forward, which is the remote forward So say I am sitting on my laptop and I would like a port on that ssh server To open up and forward that port back to my system So I'll do this with ssh a lot to get From a system out to the network and then be able to do all of that same Forwarding and tunneling and stuff just in the opposite way So say I'm actually on I'd have to be I have to be on both systems in this scenario So I'm on my laptop and then I also have access to This system in the network and I'm saying I'm trying to expel some data or something I can't get out because they're blocking the internet But I have access to this I have access to my laptop So what I do is I ssh and I set up a remote forward from here that says hey listen on 2222 here And forward that back to me on port 22 Which is ssh Then from this system I can just use any of those ssh commands provided I have the ssh command line And I can do stuff like copy files to here, but it's really forwarding to here So anyone looking at the network traffic nothing's actually going out over the firewall or anything It's just traffic going to here And then there's a secure connection to here From from the bounce host to my laptop So nothing actually unless you're really on the ball looks like it's coming from this to my laptop It's routing through this other system So what that looks like here is you use the dash r command for remote I'm going to tell it what port to listen on And I'm going to tell it the host port that I want it to or the host that I want to listen on And then the host port that I want it to forward to So I say listen on 2222 Open that up on any so 0.0.0.0 is the any address And then forward that traffic back to me on port 22. I log in as bob to that 10.10.10.10 I do minus n again because I don't want to actually get a shell here Importantly to be able to do this listen on 0.0.0.0 the ssh Server that I'm logging into so this guy 10.10.10.10 has to have gateway ports enabled or else You won't be able to do this by default It's luckily it's a pretty easy change. You just update etsy sshd config We'll look at config stuff a little bit later, but you can just change this general It is no by default, but you just change it to yes, and then you restart ssh Your connection stays alive. Everything everything keeps working and then you can do this And then from that system that's inside the network that can't get out ssh to the 10.10.10.10 on port 22 So this minus p tells it to go a different than the default port I log in I can either log in or I can copy files or do whatever I want Important thing to point out is if I'm on a system that I don't control If I'm on a system that I don't control and I ssh into my system I am potentially giving up credentials or a password or something to my system So be careful with this Make sure that this system of this user that they're logging into is something that they They're not too worried about and that that user is locked down and that they can get everything Or you're kind of letting them into your system and getting hacked yourself and you do not want to be that person So that's Cool, but it's a lot to type Say I want to do this same scenario where I have a tunnel and I want to log into that I want to log in through my my jump box or my bounce node I want to land over here So I would have to ssh to here Do a port forward to tell it to go over here and then ssh to that port forward and go over here And that's a lot of work and I'm a lazy hacker. I don't want to do that Um, thankfully the people that implement ssh are not lazy. So they think of all of these things and have it done ahead of time Uh, ssh has this cool option called a proxy command Um, the proxy command is the old way to do this and they've actually since implemented a new version But proxy command is still super useful and we'll see another use of this in just a second But what you do is you say minus o is option You say proxy command. I want my proxy command to be sshing to that remote system again And then here percent h and percent p get replaced with the system that you're trying to log into So it would be remote in the port Uh, like I said, this is kind of the old way to do it The ssh developers were nice enough to realize that this is also a lot to type So they made this thing called proxy jump, which you can do minus j Until it bob this is essentially doing the same thing as this And then you're just logged in and like we saw Um, you now have this set up where you're actually sshing through this system to here anybody monitoring this Uh, boundary for access to this system won't actually see that because you're actually going through here and to here You're not going straight to it. So that is a pretty useful way to get around some kind of common network monitoring and popping through some boundaries You can actually do some really cool stuff with this where you set up like different jump boxes and have them go through different layers and Uh, it's good to get pretty pretty fun. You can do some pretty crazy stuff Uh, so like I said, though, that proxy command is super interesting And shout out to sub T for kind of prompting me to look at this Here i'm actually using a proxy command To configure my ssh to use an http proxy to get to wherever i'm trying to go So i'll say that again. I'm using a proxy command to use an http proxy to get to where i'm trying to go So anybody looking at this traffic is going to see a connection to an http proxy And not even realize that i'm sshing through that proxy out to the other side This is super useful when you're in a network that's very locked down And is only letting certain things through and you have to use an http proxy to get out Or if you just want to blend in Another thing that is very useful here is so now I have all of these tunnels and this forwarding and all of this cool stuff that I want to set up But ssh is a tcp protocol So if anything happens in this connection any of the routers or something time out something weird happens that connection will die Maybe I want this tunnel to be set up really long lived And how I accomplish this is with a command called this is called auto ssh And what I like to do with this is I will set up auto ssh to log into my laptop and forward port 2222 on my laptop back to the host So I apologize the arrow is backwards here, but that it would actually forward from 2222 back to my host on 22 and Funnel that traffic so I connect here and it goes out here So there's an auto ssh connection out It sets up that remote port forward to come back And if that connection dies auto ssh will restart it for me monitor that process and restart it for me That effectively lets me maintain access to this and I don't have to do anything to like once it's set up And what that looks like is you use the auto ssh command. It's just a tool that you can install I'm giving it some options here the server alive interval server alive max count So it's a wait 30 seconds and it'll max try three times And then I'm telling it to remote forward on 2222 to point port 22 on my local host And then I log into my laptop a k a hack box And then on hack box I can ssh minus p to 2222 And tell it bob because that's the user that I have at local host And that's actually going to go through that tunnel back in through the network And then I'm just logged into that victim system Once again, this is super cool because like all Someone monitoring this network would see as someone logging into a system remotely So say you're here this boundaries monitored all you see is an ssh out You don't actually see me tunneling back in so it looks like someone who already has logged into this Just logged into something on the internet And that is what happened, but then additionally I'm logging back into that system here So I actually have shell access Uh that I might they might not be wanting me to have So a bunch of fun stuff you can do with port forwarding super useful for um Kind of crossing those security boundaries and getting into networks that you're not necessarily supposed to have access to Uh with auto ssh you can maintain that access And if you get creative with it you can jump around and get to a bunch of different network segments and Really make it confusing with all the port forwarding You can make it look like someone's connecting from a different system as long as you have access to connect all through So someone that's trying to trace trace that back through network logs or system logs It's going to have a rough time because you're essentially using a proxy to get through a bunch of stuff And you can proxy proxy proxy and jump around and Good good clean fun to be had by all Um So configuration So what we're going to talk about here is a bunch of different ways that you can configure ssh to Do things that are kind of unexpected or just interesting configurations that are useful Kind of in operations or in the in the process of doing things First up I want to point out that we have these escape sequences So if I've ssh'd into a system and I have an interactive shell ssh actually has this kind of hidden shell that you send a special Character sequence. It's like a cheat code almost and it gives me all of this functionality So what I did here is from my prompt. I did new line till day question mark Just in quick succession without anything else going on And that's showing me the help for this escape sequence prompt Um, probably the most useful the ones I use all the time is the terminate connection So if something messes up with that ssh session and my term my shell is hung and I can't get it to work anymore Instead of having to drop into another prompt and find the ssh process and kill it You can just do this till day new line till they dot and it kills the kills the ssh session Um Also super useful if your friends let you sit at a prompt for their ssh and you want to mess with them Just do that real quick The other one that is super useful here is the background or sorry the the command line And That that's the capital C So Why is this useful? You already saw you can just do this with the command line, right? You can ssh minus l and open up the port or minus r and open up the port and all that kind of stuff So this is one of those things that's really useful um But not very often So the the most use I have out of this is when I have access to ssh on a system Someone's actually actively trying to defend it and they've changed the password on me or gotten rid of my ssh key That we'll see here in a minute. Um, or whatever. I don't I can't log back into that prompt So I can't or that ssh session So I can't log out to port forward But I want to port forward through that because I still have access and they haven't noticed like that my actual shell exists They just noticed that the account was compromised. So I can still Scan the network and do a bunch of stuff from there I just need to be able to change some of the port configs and I can't log out and log back in Um, that is when this is the most useful So, um, just like all of the other commands minus l minus r minus d Let's you set up all of those port forwards and then it's minus k l to cancel them or kill them Once again, super useful. Uh, kind of keep it in your back pocket. It's not, um Really common that I run into this but when I have needed this it was invaluable Uh, so we talked I talked a little bit about, uh, uh authorized key there So one of the things you can do with ssh is, um Trying to log in and put your username and your password all the time isn't very much fun It's also kind of insecure and we'll see a little bit later why that is pretty insecure So ssh came up with this concept of an authorized key So this is just public public key cryptography. Uh, I Generate a public private key pair I put the public key on the remote system that I want to log into in a configuration file and say anyone That has the private key for this public key is allowed to log in So this is very very useful when you run into ssh for a couple different things One is if you can get access to someone's private key You can log into any of the systems as them that they log into Um because of that you actually generally you're prompted to put a password in to password protect that Private key so when you try to use it you have to decrypt the private key before you can use it Most of the time or still a lot of the time sadly People that are generating these keys just hit enter twice and then you get an ssh or a Private key that is not protected And by sadly, I mean awesomely because it's great and you find this all the time So where that file is stored is generally there's two places um ssh is either or the ssh stuff is either in etsy ssh Which is the global configuration or here where we're looking at it in the user's configuration Which is the dot ssh folder in their home directory Um, so here specifically this is in roots home directory. We've generated a Um key pair the default for the rsa keys is just id under rsa and then you'll have id under rsa.pub If you copy that id under rsa.pub to the dot ssh authorized keys file For any user You can log in to that user account without a password So this is Also super useful in the case where I land on a system and I don't know the user's password So I can't change their password But I'd like to be able to ssh in is them I can add this key And then I can ssh into that account is them and have a full Uh pty shell that lets me do all of the things you would do with a full pty shell edit files runs through all that kind of stuff um And Essentially this lets you maintain access. I don't need to know the user's password as long as that file exists so, um, this is also super useful for um Like hack the box style challenges where you get a webshell Or just if you have a webshell as a user and you want to upgrade to that user level access you If you have the ability to write to this file, then you just add an ssh key in here and you can log in ssh by default will Check the permissions of that file and not use it if they aren't correct But sometimes it is configured to not do that. So it's always worth checking um Kind of the meta here is it's always worth looking in the ssh folder because there is a bunch of different stuff And we'll see more of that here coming up So next is the known host file So this file is a list of all the systems that a user is logged into For anybody familiar with ssh when you ssh out to a system the first time it'll say hey I don't recognize this system. This is the public key. Do you accept this? When you do that it saves that into this file called the known hosts The that known host file will have one entry per line And then it has the ip address or the host name and then the the public key information So this is super useful if I can see this and I I'm the user say I have now have access to their unencrypted private key and then I also have access to all of the ip addresses that they're logging into Pretty easy way to pivot around the network and find other systems that I have access to The next file here that is super interesting is the ssh config so All of that stuff that we've been going over all of the port forwards all of the different things are super great But typing all of that's horrible and I'm a lazy hacker and once again the ssh developers They know that I guess and they came up with a solution for it. So that's this ssh config Like all most the other ssh stuff the default Or the kind of system wide configuration is an etsy ssh And then the user configuration is in dot ssh in the user's home directory That config file looks like this. So here someone has set up the Um a host called bounce the username is bob. They're logging into 10 dot 10 dot 10 dot 10 They would like to do a local forward of port 8080 to 192 168 1 dot 10 80 They're going to do a dynamic forward for 1080 and they're going to do a remote forward for 8080 on 192 168 1 dot 10 80 80 On the command line, you can just do ssh bounce and then all of those configs will get set in the command line You don't have to do anything at all anymore. It's just ssh bounce. It'll tab complete if you have bash completion. Super awesome When you land on a system if you have access to this config file This is another way to find systems that people are logging into because they'll have a bunch of configs like this For easy mode accessing the systems that they access and you can see Okay, so this bob guy has access to 10 dot 10 dot 10 dot 10 And likes to check out these other systems on these ports. So something I can try to do Another fun thing you can do with ssh config is get it to do stuff that people are not intending So let's say in this scenario Um, I know that bob is sshing from the server that he's on 10 dot 10 dot 10 dot 10 to that system that he has internally Every time he does that I would like to get a shell back to me on 41 41 from his system Uh, with ssh config I can do that. So here I configure his say say on his server for some reason I have access to his ssh config. I'm going to go ahead and I like to set this up for all hosts Uh, by default, you're not permitted to run a local command, but luckily in the config file You can just tell it to let you do that And what I'm going to do here is tell it the local command is to netcat me a bin bash shell to my ip address on my listener and background and then do whatever else bob was trying to do So uh, every time bob logs into a host it will spin a shell back to me and I'll get access to his system. So say my shells keep dying or I just want to kind of maintain access and it's super easy Wait, wait, wait Another config file that is super awesome is this uh run commands file or rc file Um, this similarly has the etsy etsy version or the user version But what this does is this runs a command When the user is logging in right before it drops them to a shell So back to our scenario say I'm actually on this This far system and now I want a shell to come back to me every time somebody logs in So when somebody logs into this system, it sends me a shell What that looks like here is I just put this simple, uh Netcat listener just like the other one roughly in this I say netcat spit a shell back to me on my listener ip address Um port 4141 and then background and go ahead and keep doing whatever it is that people want to do So, uh, I encourage people to look at the config files. There's a ton more things you can do in there These are kind of simplified versions for slides and to demonstrate the purposes Uh with the config files and the port forwarding You can really get yourself into some pretty nifty scenarios with that, uh, jump proxy command or proxy jump or command or Config option and then also it goes in the config file Um with those you can set up really intricate Port forwards and get through all sorts of different interesting things and like I was saying before really kind of run havoc on networks And for someone trying to trace stuff back Uh, now let's look at a couple different ways that I've successfully gotten creds out of ssh um The first one being say i'm on a system and I know someone is logging into other systems. I see their ssh config But I don't have their private key. They're not even using private keys. I just know they're using passwords So I want to be able to get to that system that they're getting to but I need to get that somehow So a thing I like to do is I set I create a little shell script here That's in their path before the normal ssh command. So the ssh command by by default is in user bin ssh Here i'm making a shell script called user local bin ssh that prompts the user for a password again and then writes that password to a temp file and then Just ssh's for them. So what that looks like and I'm sure people that are used to ssh is you ssh out It asks you for your password. You typoed it It just asks you for your password again. You typed it right. You're good to go and then eventually you exit And you can see here that intemp.creds. I've now stolen that super secret password And I have bob's password of one and two one sixty eight one dot ten You may be able to pivot and kind of be on to the next thing Additionally, let's so let's say the other way is true. Someone's sshing into a server that I have access to And I want to see what their password is Here I use the debug tool called strace Which just looks for all of the system calls that happen in the binary So I find the ssh process I attach s strace to that sshd process And I tell it to just show me the reads because I know Just I know how the ssh daemon works. I know that when you connect into it It sends you a prompt and then reads your password from you So here I'm telling it to just Show me all of the reads and there are a lot of reads So I've gone ahead and gripped them for this magic string that happens right before the password just as part of the protocol And here you can see I've stolen this this password of super secret from someone when they're logging into the ssh Uh another really fun one here is um Using this paramico to create your own ssh server So this is kind of the most basic example of this that I can show And make it actually fit in a slide and be useful But the idea here is say I'm on um a server And it's not running ssh, but I know someone is trying to log in I need to speak enough of the ssh protocol to get them to give me their password But I don't necessarily want to let them log in because I don't know what they're trying to do And I don't want to implement the entirety of all of ssh So let's kind of run through this python code a little bit What I'm going to do here is for this this line here I'm going to go ahead and grab the tcp socket grab or create a tcp socket I'm going to bind on 22 so this means I have to have access to open those non-ephemeral ports I'm going to listen for one connection and then uh Accept for that connection. So once I'm connect once I've got a connection I let myself know hey someone from this adder has connected to me Then I'm going to take advantage of paramico and I'm going to create uh, they call it transport in the um in the paramico implementation Uh with that transport I'm going to go ahead and add a server with um The paramico rsa key. So I have just a test key Like I said before when you ssh out and it says I don't recognize this here's the public key This is going to be that key that it gives them So this is one chance that they could detect this So if they're trying to ssh in and it's a key that they don't recognize You should just say no unless you know that um, there's a key that you should be seeing Um, but most people just say yes because they assume it's a server They haven't seen and then I'm going to go ahead and start it with my server Until it to just serve and then accept the connection So what this looks like here is this now uses my server they connect in they get The ssh protocol does its negotiation and says the only thing I can do is password authentication So they'll get a password prompt from the client because it knows how to speak enough of the protocol And then they'll send me the username and password to my ssh server and that Uh, the paramico server will call this check off with the username and password that it got I can say Hey, cool. Check it out. I got a username and password and then tell it Uh, no, that's not a valid username and password. So from the user's point of view They tried to ssh in the ssh failed. They don't know why it is. They don't know what this box is. Anyway It's not supposed to be on the network. So I kind of ignore this want to connect back shell That's not what it's actually happening. I'm actually starting an ssh server here. So Start my super secret awesome ssh server Um, just with python it tells me hey, I got a connection from here and then Hey, that connection sent me bob as the username and sent me bob's super secret password So, uh, I now have that password. I know where they came from I can probably try to log into that and see if I can pivot from there or use that credential somewhere else on the network So, uh, that is kind of an intro and some a little bit deeper But not super crazy deep dive into all of the cool not all of but a bunch of the cool things you can do with ssh You saw that just by default it gives you a remote shell shell access Let's you do port forwarding. You can download upload files. It's all encrypted That port forwarding you can use that to accomplish Almost any sort of hopping that you need to be able to do around network segmentation So really if you can get to port 22 and you have some sort of credential material to log into that port 22 You can do quite a bit inside a network. You can get access to systems. You might not necessarily You're not necessarily supposed to have access to you can get around network protections that are trying to block you from doing things You can mask your traffic in different protocols via proxies You can make your traffic look like it's coming from different systems via proxies With all the configuration options you saw you can trick the system into doing things or really trick users into doing things that you're not expecting different ways you can run ssh commands such that It's harder to trace or see that information on the system and download upload xfil all the data and then really the cool thing about this is you can use all of these ssh options These are the basic ones You can combine all of this to make yourself the craziest network map that you want Pivot through all of the different things Ssh is becoming more and more ubiquitous across environments. It's now coming on windows 10. You have wsl It's very very very useful So I hope I hope that was helpful I hope it made you think a time or two about ssh and what you can do with it and all that kind of stuff I hope to stay connected with everybody Rendori attack is my team's twitter We are kind of always hiring someone at somewhere so hit up our careers off of our web page and then If you're into information like this follow our blog Rendori TTPs are our tips tricks and pocs Check that out for lots of information like this And then lastly I'm pretty passionate about this. We need to make sure that we're taking care of ourselves and popping all these shelves is awesome Maintaining all of this access is super great but we also need to make sure that we're taking the time to get away and Keeping ourselves fit. So hashtag red team fit check us out on twitter there's a bunch of discords all over the place and We've got a bunch of groups and doing all sorts of really awesome stuff And that's what I got. Thanks everybody Hashtag red team fit