Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Reverse SSH tunelling

from [Abe] Network Security [Permanent Link]
Subject: Re: Reverse SSH tunelling
Date: Thu, 26 Aug 2004 22:12:17 -0700 
Raist,

I had a similar problem. I solved it by setting a flag file in a central location that all the remote boxes could see.

1) Copy the appropriate SSH public keys across to your central admin box. Add them to ~/.ssh/authorized_keys or authorized_keys2 files. Make sure the remote client can connect to you without a password.

2) On a central FTP or HTTP site, set up a flag file. Mine is a simple flag.html and contains a 0 or a 1.

3) For each client, write a cron script using wget or another tool to automatically check either for the existence of this file, or specific content. If the flag is set, then bring up a ssh connection. In addition to grabbing a remote port, issue a sleep command. This will keep the window of opportunity open.

Here's my cron script:
--------------------------------------------------------------
#!/bin/sh

# DELETE OLD FLAG FILE
rm /root/.ssh/flag.html

# GET NEW FLAG FILE
http_proxy=ncache.entp.attws.com:8080 /usr/local/bin/wget\
-q http://206.x.y.z/flag.html -O /root/.ssh/flag.html

read FLAG < /root/.ssh/flag.html

# IF FLAG FILE CONTAINS "1" THEN SETUP SSH CONNECTION, OTHERWISE EXIT
if test $FLAG -eq 1
then

exec /usr/bin/ssh -nfg -R 2222:127.0.0.1:22 -lroot 206.x.y.z -o\ keepalive=yes sleep 60

fi
-----------------------------------------------------------

The -R 2222:127.0.0.1:22 is what does the reverse trick. We grab port 2222 on the REMOTE machine and forward it to localhost:22

4) When you want to connect to a specific machine, set the flag file. The remote cron will detect the flag and grab a port on your machine (2222).

5) Now you need to ssh to localhost port 2222, and end up on the remote machine. You can add other ports to forward, too. The only problem I've seen is ssh will be confused with ssh to localhost if you've already ssh'd to it before. Simply remove it from your known_hosts file or use 127.0.0.1.

6) When done, make sure you change the flag file back. Otherwise, frequent ssh setup & teardowns will attract the attention of the security folk...

I'd love to hear of a more elegant solution, maybe using ping or port knocking. I did it this way so an hourly ssh session wouldn't raise flags with the security guys, as well as getting through the firewall. Ftp/Http is a little more subtle.

-Abe


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Reverse SSH tunelling, Shaun Dewberry
Next by Date:  Re: Reverse SSH tunelling, Steffen Kluge
Previous by Thread:  Re: Reverse SSH tunelling, Shaun Dewberry
Next by Thread:  Re: Reverse SSH tunelling, Steffen Kluge
Indexes:  [Date] [Thread] [Top] [All Lists]