Ultimate Hacklab – Self Paced (SP)

Ultimate hacklab – Self Paced (SP) – prep for hacking challenge lab exams like OSCP, LPT, eCPPT, and soon even the new CEH is going to be a hacking challenge lab as well.

If you really want to know what it takes to pass hack lab challenge-based exams like OSCP, LPT, eCPPT then ultimate hacklab is for you and it’s only $50.

The InfoSec Addicts Ultimate hacklab – Self Paced (SP) – is best way for you to practice the skills required for almost any hands-on lab based penetration testing/ethical hacking certification.

The Ultimate hacklab – Self Paced (SP) – gives you the opportunity to follow along with a structured and very detailed training program, and/or make your way through the labs and just ask for help whenever you get stuck. You can run almost any tool and try almost attack in the environment. The class is self-paced. You can sign-up ANYTIME, and start IMMEDIATELY.

The program outlines how to create your own lab environment or you can connect to the InfoSec Addicts lab environment with almost any platform (Windows, Mac OS X, Kali Linux, other Linux distros) to go through the lab exercises.

Class syllabus:

  • Module 1: Connecting via VPN to the lab network
    • Connecting to the VPN with Windows
    • Connecting to the VPN with Mac OS X
    • Connecting to the VPN with Linux
    • Connecting to the VPN with Kali
  • Module 2: Scanning
    • Nmap
    • Net-Discover
  • Module 3: Module X: Enumeration
    • nmap NSE
    • rpcinfo/showmount
    • nbtstat
    • enum4linux
  • Module 4: Brute-forcing
    • Hydra
    • Medussa
  • Module 5: Vulnerability Scanning
    • Nessus
    • OpenVas
  • Module 6: Attacking web servers/web apps
    • Manual XSS/SQL Injection/LFI/RFI
    • Nikto
    • Dirbuster
    • Burp Suite
    • w3af
    • Arachni
  • Module 7: Compiling/Modifying Exploit code
    • Compiling code in Windows
    • Compiling code in Linux
    • Finding offsets
    • Changing out shellcode
  • Module 8: Client-Side Exploitation
    • Metasploit
    • Social Engineering Toolkit
  • Module 9: Transferring files
    • FTP
    • TFTP
    • VBscript
    • Debug,exe
    • wget/linux/bitsadmin
    • PowerShell
  • Module 10: Privilege Escalation
    • Linux
      • SUID binaries
      • Shell escapes
    • Windows
      • Identifying vulnerable services/misconfigurations
      • beR00t.exe
  • Module 11: Data-mining a compromised host
  • Module 12: Hashcracking
  • Module 13: Pivoting
    • Netcat/Socat pivot
    • SSH Pivot
    • Metasploit pivot
  • Module 14: Lateral movement
    • psexec
    • smbexec
    • winexe
  • Module 15: Data Exfiltration
    • ICMP Tunneling
    • DNS Tunneling
  • Module 16: Reporting

 

Lab Network Access

Targets in the lab network will change on the 1st of every month. Students have the option to purchase 1 months access to the lab environment for $25.

 

Students will receive:

  • Up to 124 hours of CPEs (24 CPE for the actual training and the rest come from labs and challenges completed by the students)
  • Several virtual machines
  • Courseware access
  • Lab Manual
  • Lab access

 

Class Videos

Each course module has a corresponding video that demonstrates the task being performed. So you can see each individual lesson’s skill or task that is being described actually being performed.

Support

Each student will have access to an InfoSec Addicts Group (infosecaddicts.com) for the class. Additionally, this is where they can work with other students on lab exercises, homework, and challenges. An InfoSec Addicts class mentor will be assigned to the group to answer questions (allow one day for responses). Likewise, a Customer Relationship Manager will get assigned to the class to manage questions and support issues.

 

Class Schedule

The class is self-paced. You can sign-up ANYTIME, and start IMMEDIATELY.

Fill out this form below to sign up for the class.

$50.00Add to cart

 

 

Was sick, my mother passed away, but now I’m back on track

I want to thank all of you well wishers. The last few months have been crazy for me. I’ve been in and out of the hospital several times, my mother passed away a few days ago, my birthday was on the day I burried my mother (Mother’s Day).

My mother was very sick so honestly her passing was a painful but good thing as her suffering is finally over. My family got together and had a celebration of her life instead of a funeral.

Python

So again to all of you thank you.

My medical issues are under control now, and we’ve dealt with my mother’s passing so I’m back to work next week.

I’ll be teaching Advanced Metasploit, and Python as night classes so I decided to bundle them for $100 (they are usually $100 each).

Click here to register for this class bundle for only $100

https://infosecaddicts.com/next-level-metasploit/
Next-Level Metasploit 21st and 23rd of May 2018
– Mon, May 21, 2018 7:00 PM – 9:00 PM EDT
– Wed, May 23, 2018 7:00 PM – 9:00 PM EDT

Python

This is an advanced Metasploit course that will focus on the fundamentals of Ruby (specifically for Metasploit), metasploit automation, and writing auxilliary modules and exploits for Metasploit.

 

https://infosecaddicts.com/python-infosec-professionals/
Python for InfoSec Professionals 28th and 30th of May 2018
– Mon, May 28, 2018 7:00 PM – 9:00 PM EDT
– Wed, May 30, 2018 7:00 PM – 9:00 PM EDT

Python

This is a Python for security professionals course. In this course I’ll be covering both log and pcap analysis with Python, as well as network/web app testing with Python.

This course is really designed for people that are NOT very comfortable with programming.

 

Class Videos

Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time or even a whole day.

Support

Each student will receive access to an InfoSec Addicts Group (infosecaddicts.com) for the class. Groups are where students can ask questions outside of the regular class hours, work with other students on lab exercises, homework, and challenges.

A class mentor is assigned to the InfoSec Addicts Group to answer questions (allow one day for responses).

Similarly, a Customer Relationship Manager is assigned to the class to manage questions and support issues.

 

Class Schedules

Next-Level Metasploit 21st and 23rd of May 2018

– Mon, May 21, 2018 7:00 PM – 9:00 PM EDT
– Wed, May 23, 2018 7:00 PM – 9:00 PM EDT

Python for InfoSec Professionals 28th and 30th of May 2018

– Mon, May 28, 2018 7:00 PM – 9:00 PM EDT
– Wed, May 30, 2018 7:00 PM – 9:00 PM EDT

 

Click here to register for this class bundle for only $100

 

 

Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:

https://infosecaddicts.com/unlimited-classes/

 

NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

Free Advanced Network Penetration Testing webinar

network penetration testingIn this FREE webinar Joe McCray will cover the fundamentals of the network penetration testing, and how to perform basic penetration testing tasks. This webinar is designed for people with little to no network penetration testing experience.

This webinar will be held on the 1st of February at 1pm EST

Click the link below to sign up for this webinar:

https://attendee.gotowebinar.com/register/6831470640505615106

network penetration testing

OpenSSH-PuTTY-SSH

What is PuTTY?

putty

Let’s get some background on the topic first of all. PuTTY on its own has no meaning. However, it is a free and open-source software. In fact, it is a terminal emulator, serial console, and network file transfer application. A plenty of network protocols are supported through such application such as Secure Copy (SCP), Secure Shell (SSH), Telnet, rlogin, and raw socket connection. Moreover, a serial port could be connected by PuTTY.

It works fine on Microsoft Windows, which was originally intended to be served by such software. However, Unix-Like operating system has the ability to run some specific releases on them as well. Operating systems like Symbian, Windows Mobile, and Windows Phone are capable of running it as well yet there are no official ports for such platforms. Classic Mac OS and macOS are still worked on to provide a release to them as well.

What does PuTTY have as features?

putty

In fact, there are several features offered by PuTTY such as:

  • Secure remote terminal is up for variations
  • SSH encryption key and the version of the used protocol could be managed and controlled by the user
  • Alternate ciphers such as 3DES, Arcfour, Blowfish, DES, and Public-key authentication are also available.
  • Control sequences could also be emulated xterm, VT102 or ECMA-48 terminal emulation
  • Port forwarding with its diverse types: local, remote, and dynamic are all supported with SSH.
  • IPv6 is supported through the network communication layer
  • The scheme of delayed compression of [email protected] is also supported.
  • Connections with serial ports which are local are also allowed.
  • SSH File Transfer Protocol (SFTP) and SCP clients are specified for the command line. They are referred to as “pscp” and “psftp” respectively.
  • Sessions which are non-interactive depend on another connection tool of command line called plink. 

What is SSH?

putty

Here comes the point of Secure Shell (SSH). It is actually a cryptographic network protocol. What is used for then? It is mainly used for operation over a network which is not secured. Computer systems, for example, could be accessed remotely by users through such network protocol.

The architecture utilized by SSH protocol has the form of a client-server basis. An SSH server is connected to through an SSH client. While login through command-line and remote command execution are supported by most of the applications, SSH has the ability to work for any network service as long as one of the two versions are used: SSH-1 and SSH-2.

Windows is okay for SSH usage but with limited integrations. Unix-like operating systems can get an access to shell accounts using SSH. Protocols like Telnet, Rlogin, rsh, and rexec was intended to get replaced by SSH when first came into existence. The reason is that such protocols send valuable information such as passwords in a plain text format, which is completely insecure. Any packet analyzer has the ability to get such packets sniffed and the password becomes easily accessible then.

On the other hand, SSH offers a secure means of communication. Here, data is encrypted with no meaningful interpretation if sniffed and analyzed. Still, US Central Intelligence Agency relies on some security tools in order for them to get the SSH protocol cracked and the files decrypted at the end of the day. WikiLeaks is the government transparency organization which revealed such vital news last month.

Public or Private Keys

putty

Authenticating a remote computer and further authenticating the user on such computers depends on public-key cryptography used by SSH. Generated pairs of public-private keys automatically could be used for the sake of getting a network connection encrypted, then logging on could be authenticated via a password.

On the other hand, authentication could depend on generating pairs of public-private keys. This way, logging on by a user or a program does not require a password thereafter. While all computers should have the public key, a matching private key is solely owned by one computer or owner who already has access to these computers. The private key stays on its own location without being transferred through the network when the authentication process is performed.

So, what does SSH do at this moment? To elaborate, SSH only makes sure that both the public key and its matching private key exist on whoever offering the public key. Therefore, the authentication is accepted if they both existed. Unknown public keys could be verified in the same manner through knowing the identities such that any attacker could be identified prior to accepting a connection from him.

How does the key get managed?

putty

It is important to get to know the methodology in which a key is stored and checked when using SSH protocol for authentication. A file named ~/.ssh/authorized_keys contains the allowed public keys listed altogether inside the home directory on Unix-like systems.

In order to accomplish the authentication process perfectly, the public key is checked on the remote machine whereas the private key gets checked on the local machine. What happens next is that basically no passwords become needed for the competition of the authentication. Still, locking the private key with a passphrase is also an added layer of security to get the connection established. Some software such as Message Passing Interface (MPI) makes use of the nonexistence of password compliance when the public-private key authentication occurs.

Standard places could have the private key, while the command line setting (the option –i for ssh) can get the full path of the private key specified. Producing public and private keys in pairs could be done using the utility of SSH-keygen.

On the other hand, authentication processes depending on passwords are also supported by SSH protocol. Passwords are encrypted using some automatically generated keys by SSH. This aspect opens a door for an attacker to perform an attack of type man in the middle. In this attack, a fake server could manipulate the client and ask for the password and then get it instead of the legitimate server. Nevertheless, this could only be attained if it is the first time for the two sides never happened to get authenticated before since once they become authenticated, the public key of a server is remembered by SSH.

How could this attack be avoided? This is simply done by the fact that a warning gets displayed when a new, or a previously unknown server attempts to connect. Or, disabling the password authentication is another valid option to avoid the hassle of such attacks.

OpenSSH and OSSH

open_ssh

For the sake of making the software free and available to get used without any cost, the older 1.2.12 release of the original SSH program was the starting point when it was an open source software version. In 1999, using the codebase of such version, Björn Grönvall’s OSSH got released.

OpenBSD developers then worked on developing and improving the code of Grönvall. The result was the successful OpenSSH, which shipped with the 2.6 release of OpenBSD. OpenSSH was then able to get ported onto other operating systems through what is referred to as a portability branch.

OpenSSH supported a plenty of operating systems to the extent that back in 2005 it was the only SSH implementation running on several platforms. OSSH, on the other hand, came to vanish at the same time when OpenSSH got much more viral and popular.

References

https://en.wikipedia.org/wiki/Secure_Shell

https://en.wikipedia.org/wiki/PuTTY

https://en.wikipedia.org/wiki/Comparison_of_SSH_clients
https://www.quora.com/What-purpose-putty-is-used

Kismet Wireless

What is Kismet?

It is very important for specialists in the domain of computer security or particularly information security to know about Kismet and what it can do. Fundamentally, Kismet is a software. It is utilized to detect network traffic, sniff the packets, and also as an intrusion prevention system. It is also important to know that it is an open source security tool.This means that it is a free software, which is a plus.

All platforms which are compliant with Portable Operating System Interface (POSIX) can have Kismet software running on them perfectly. This includes Microsoft Windows, Mac OS X, and BSD. Nevertheless, it works the best on Linux operating systems. This is because monitoring devices for such systems are unencumbered.

Now, it is essential for Kismet to work under the monitoring mode. But why is that? Basically, this aspect is attributed to the fact that any packet which Kismet is capable of hearing could be read and further examined. Yet, when there is no monitor mode capability, there is a certain access point (AP) you are currently associated with from which packets could be sniffed.

Radio Frequency MONitor (RFMON) mode is a critical mode for Kismet in order to be able to use it efficiently to the maximum. A driver supporting RFMON — monitor mode is the first step to use Kismet. Such driver should get configured on the used wireless network interface card (NIC).

What are the configuration models of Kismet?

Kismet

In fact, there are a plenty of models in which Kismet could be configured. While it is essentially a client-server application, it is allowable to harness it as a standalone application. Moreover, it could operate as a server which supports several clients. Elsewhere, installations of drone Kismet inside the network could make Kismet work as a server. This is where all the captured packets of individual wireless hardware pieces are gathered for analysis and monitoring of the server afterward. The built-in client is used whenever the standalone Kismet is run, although there are several other third-party clients which could work for Kismet as well.

How do Kismet drones work?

Kismet

Let’s now discuss how Kismet drones are capable of reporting the captured network packets into their own server at the end of the day. Well, this feature is pretty simple since each Kismet drone forwards the captured packets of its own configured wireless card source into one integrated server for all the captured packets. A single log file the combines all of such captured packets in order to execute one unified wireless intrusion alerts for the entire network. Via this way, any LAN having one or two APs can have a wireless intrusion detection system (IDS) represented by Kismet drones.

It is advisable to note that a particular configuration file is required for using each of these components. The rationale beyond this feature is to have a great performance when running Kismet. Such files include Kismet.conf, kismet_ui.conf, and kismet_drone.conf files.

What about the User Interface?

Kismet

Although there is not anything new or creative about the user interface, it allows a great speed and speed for operating such software. When running Kismet, it first opens the Autofit where all the detected networks are displayed in a list. Some details about each network are displayed as well, but no further details could be viewed other than the ones which are already displayed on the user interface.

So what details are displayed in the first place? Well, there is the decay indicator, network name, network type, WEP status, channel used, packets seen, flags, IP range, and the size of a capture file. All of these details are accessible by the user interface. Nonetheless, there are three cases for the decay indicator:

  • A recent activity could be indicated by an exclamation mark (!)
  • A less recent activity could be on the other hand indicated through a period (.)
  • The non-existence of a recent activity is displayed through a blank, though.

But a good question to ask is: what determines if an activity is actually recent or not? Fundamentally, this is decided by decay variable included inside kismet_ui.conf. Usually, it is around 3 seconds passed and an activity is considered as a recent one.

How can I get help when using Kismet?

It is very vital to seek help when using a software especially if you are pretty new to it. Entering an “h” is the solution to get help from the software; it will pop-up a window from where the Page Up and Page Down could be utilized for navigation through the window. Also, entering “x” simply terminates the window.

How can changing modes have their effect?

Kismet

The following could be seen all in capital letters at the end of the help window. They include – ALL NETWORK SELECTION, TAGGING, GROUPING, SCROLLING, AND SO ON IS DISABLED IN AUTOFIT MODE. Let’s change this mode and know the Kismet’s reaction regarding such change.

First of all, we need to get the help screen closed. Then, the network list could have its own order changed through entering a simple “s”. The network’s AP’s MAC address could be the means to have the list sorted depending on them in the first place, this can be attained by simply entering “b” now which represents the first letter of the word BSSID, meaning such MAC addresses.

The arrow key of up and down on the keyboard could be relied on for the sake of selecting a specific network. Entering on “i” would yield on getting another window with all the details of this particular AP.

Moreover, Statistics of a channel’s traffic could be shown by entering “a”. In addition, all the MAC addresses interacting with a particular AP could be recognized with a simple “c”. The client list will appear right now. Changing the way in which such addresses are ordered could be done the same way used before as well. For instance, they can be viewed in an order according to the last seen. On the other side, such order could be reversed by a simple “L”.

This aspect, in general, is pretty important to get any AP protected. This is through knowing all the MAC addresses of devices talking to it. In order to view the details of a particular client, we get it highlighted and then selected by a simple “i”. This would show the type of connection in which the client is involved. It also shows the MAC address, and much more information about the client.

Entering an “h” now will display another help window which is more specific than the previously generic one displayed before. Various connection types: From DS, To DS, Intra DS, Established, Sent To, and Unknown is now explained by the help window in this case.

How to get the log files edited?

While a log file gets stored by default inside the directory where Kismet started running, this could be easily manipulated. Inside Kismet.conf, the logtemplate directive could be edited and changed. The created logs will be by default dump, network, CSV, XML, weak, Cisco, and GPS logs. This, however, could be changed through editing the logtypes directive inside kismet.conf as well. The created dump file could be used for analysis by Wireshark and Aircrack-ng if preferred afterward. More information about such security tools could be found on this website as well.

References
https://www.kismetwireless.net/

https://en.wikipedia.org/wiki/Kismet_(software)

https://www.linux.com/news/introduction-kismet-packet-sniffer

https://www.quora.com/How-do-I-secure-my-wireless-network

How to understand SSH perfectly?

Throughout the following lines, I will be walking through some of the main steps which have to be necessarily followed for someone new to the field of security administration to be able to excel at such domain. Following the steps will definitely grant a great result by getting to know the different aspects of the topic and fully grasp its concept.

  1. Understand what is meant by a tunneling protocol?

A network user has the ability to access a network service which is not supported directly by the underlying network. Or a user can further offer such service to a network of the same sort. What could this notion be used in practice? Well, there are actually three main benefits of such protocol given in the following list:

  • Running a protocol on a network which actually does not allow for such protocol or merely does not support it. This way, IPv6 can run over IPv4 for instance.
  • A remote user has the potential to access the network through this method as well. Though it is not a safe choice, an critical user or employee within a corporation can get an internal IP address for his machine when working from his home or when traveling. No matter what his machine’s physical IP address is, the machine will have the company’s network address to work as if being inside the company already.
  • Hiding the nature of network traffic going through a network is an unusual usage of protocol tunneling as well. But how and why is that? Basically, encryption can be a standard to get a traffic data repackaged when transferring between two networks. Data will not be easily visible when captured by any sniffer because it will be in the form of encryption.

Talking in general, tunneling is considered as a means of sharing data between two different networks. Through such method data of the private network gets encapsulated along with the protocols used in the broadcast of a public network.  The public network thereby conceives such protocol information as mere pieces of data.

  1. Get to know SSH Tunneling

 

A Secure Shell (SSH) tunnel is essentially an encrypted channel which allows for all the traffic to go through it whether such traffic is encrypted initially or not encrypted. It depends on SSH network protocol. Here, the network protocol of a private network gets encapsulated into another protocol which is SSH, making all the communication between them become encrypted.

To illustrate, transferring files between Windows machines over a remote connection utilizes the protocol of Server Message Block (SMB). Because such protocol does not offer an encrypted means of getting the data transferred, meaning that transferring data using this method is ultimately prone to get attacked and exploited by a good attacker.

Mounting a Windows file system which is of SMB type of traffic could be performed securely accordingly by an encryption channel between the client and the file server through using an SSH tunnel.

Establishing a local SSH tunnel mainly requires setting up –configuring– an SSH client on a machine where a port is being forwarded to another local one on a remote machine. When it becomes established, such specified local port could be connected to by the user to get the network service accessed thereafter. It is important to note the two ports can be different as desired.

One good thing about SSH tunnels is that firewalls could be simply bypassed by mainly making use of them. To elaborate on this point, let’s consider that a device is connected to a network which does not essentially allow for getting any access to the internet. This basically means that port number 80 is closed on any connection to get established through it. One way to play around this restriction is to fundamentally forward a local port on the machine into port number 80 on another computer outside the network where the internet is accessible.

There will be however one remaining obstacle that could be faced despite using SSH tunneling. It is a problem of whether a site allows users to establish outgoing connections or not. If yes, then the method will work perfectly while an organization’s proxy filter will not even notice such bypassing and accordingly will not be capable of prohibiting the access of internet on the machine.

One more benefit of such bypassing is that an organization cannot get to know the traffic going from and into the internet on this machine because it is supposed to be not connected to an internet connection anymore. A remote web server could be accessed by pointing the browser on the original engine to local port at http://localhost/.

  1. Identify the types of SSH tunneling

There are three main categories of SSH tunneling. Each could be used in a different situation and network. They are given by the following list:

  1. Know what OpenSSH is?



For the sake of making the software free and available to get used without any cost, the older 1.2.12 release of the original SSH program was the starting point when it was an open source software version. In 1999, using the codebase of such version, Björn Grönvall’s OSSH got released.

OpenBSD developers then worked on developing and improving the code of Grönvall. The result was the successful OpenSSH, which shipped with the 2.6 release of OpenBSD. OpenSSH was then able to get ported onto other operating systems through what is referred to as a portability branch.

OpenSSH supported a plenty of operating systems to the extent that back in 2005 it was the only SSH implementation running on several platforms. OSSH, on the other hand, came to vanish at the same time when OpenSSH got much more viral and popular.

References

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://www.hackingarticles.in/perform-local-ssh-tunneling/

https://en.wikipedia.org/wiki/Tunneling_protocol

https://en.wikipedia.org/wiki/SOCKS

https://en.wikipedia.org/wiki/Comparison_of_proxifiers

https://en.wikipedia.org/wiki/TUN/TAP

http://www.hackingarticles.in/perform-remote-tunneling/

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://linux.byexamples.com/archives/115/ssh-dynamic-tunneling/

https://ypereirareis.github.io/blog/2016/09/19/ssh-tunnel-local-remote-port-forwarding/

https://coderwall.com/p/pmf0tw/understand-local-remote-and-dynamic-ssh-tunneling

http://www.hackingarticles.in/time-scheduling-ssh-port/

http://www.hackingarticles.in/web-server-exploitation-ssh-log-poisoning-lfi/

http://www.hackingarticles.in/metasploitable-3-exploitation-using-brute-forcing-ssh/

http://www.hackingarticles.in/secure-port-using-port-knocking/

https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/

https://en.wikipedia.org/wiki/RealVNC

https://nmap.org/

http://resources.infosecinstitute.com/metasploitable-2-walkthrough/#gref

https://www.vulnhub.com/entry/metasploitable-2,29/

https://github.com/rapid7/metasploitable3

How to play around with SSH protocol?

  1. Know what is port forwarding? ssh_protocol

So, we got to know that to establish a tunnel; port forwarding has to become real. How can one do this? Firstly, port forwarding, otherwise referred to as port mapping includes three critical techniques combined:

  • A new destination is defined for a packet instead of its original address or number of port.
  • Such packets become usually accepted by firewalls working as packet filters.
  • The routing tables are used for the sake of forwarding the packets

There are also three types of port forwarding:

  • Local port forwarding
  • Remote port forwarding
  • Dynamic port forwarding
  1. Understand what SOCKS and SOCKS5 are? ssh_protocol

Socket Secure is a standard internet protocol also referred to as SOCKS. Through such protocol, a proxy server could be the means where network packets have the ability to get exchanged between a client and a server.

Authentication is a plus for SOCKS5, meaning that such proxy server cannot be accessed without authenticating a user who is wishing to get access to the server. This implies the fact that there should be some bunch of authorized users that are allowed to get into the server.

In practical, TCP connections become proxied by SOCKS5 protocol to an arbitrary internet protocol (IP) address.  Similarly, forwarding of UDP connections can also happen through such protocol.

It is important to know that the service of such protocol works on TCP port number 1080 where an incoming client connection gets accepted. The layer specified for such protocol is the session layer which is the fifth layer of the Open Systems Interconnection model (OSI model). Such layer resides fundamentally between the presentation layer and the transport layer.

Layer 2 and Layer 3 tunnels are supported by modern versions of OpenSSH where connections can happen on such layers between two devices enabling such connections or tunneling capabilities.

Through such connections, TUN gets created by default on layer three whereas TAP gets created by default on layer 2. TUN and TAP are basically virtual network kernel devices, which are fundamentally different from ordinary network devices which are backed up by hardware network adapters.

Such virtual interfaces get created on both devices and then it is allowed to manage the network and adjust the routing. When using them on routers, this will lead to tunneling of a subnetwork traffic entirely not only an application or a port connection as in SOCKS and SSH tunneling respectively. An Ethernet cable between both devices could simply get simulated using two TAP virtual interfaces on both devices. Kernel bridges can occur accordingly using this method.

  1. Get familiar with PuTTY?                                                                                       

    ssh_protocol

Let’s get some background on the topic first of all. PuTTY on its own has no meaning, yet it is free and open-source software. In fact, it is a terminal emulator, serial console, and also a network file transfer application. Plenty of network protocols are supported through such application such as Secure Copy (SCP), Secure Shell (SSH), Telnet, rlogin, and raw socket connection. Moreover, a serial port could be connected by PuTTY.

  1. Understand Nmap ssh_protocol

Nmap also offers a great means of transferring and redirecting data in a flexible manner. While the debugging tool used with Nmap is called Ncat, the utility tool for getting the scan results compared is named Ndiff. Also, a response analysis tool is used to it and is called Nping.

Finally, one advantage of using Nmap is that besides having a command line interface, it provides a user with an interactive Graphical User Interface (GUI). In the meanwhile, the results viewer called Zenmap makes it very easy and simple to understand the results and further analyze them.

  1. Know how to use Brute Forcing SSH to exploit Metasploitable3? ssh protocol

The purpose of this tutorial is mainly to cover SSH login attack. Consider that the port number 22 is open on which SSH service has the capability to run and operate. The operating system used by the attacked machine is Metasploitable 3. We have intentionally opened the ports specifically for this tutorial purposes.

  • Open the Kali Linux terminal.
  • Scan for the open ports of the target IP address using the Nmap network security utility. The following command could be used for this purpose. This way we could be able to understand which ports are allowed to run services on them then. This will show that fortunately, port 22 is open.
    nmap –p- -sV 192.168.1.8
  • Create a dictionary file type using the following command:
    cewl https://github.com/rapid/metasploitable3/wiki -m 7 -d 0 –w /root/Desktop/dict.txt
  • Just to explain more the last command which we used, let’s get to understand what the command “cewl” is utilized for. Basically, when a customized word list is needed to get made with the use of a given URL, then CeWL should be used.

The dictionary file which we created in the last command is generated from the Wikipedia of Metasploitable 3. This could be used in the following steps to get the password found and discovered.

  • Start the Metasploit framework now using the following terminal’s command:
    msfconsole
  • SSH logins should now get tested on plenty of machines in order to determine the successful logins within such logins. A database plug-in can be loaded where a connection to a database gets recorded. The following module is depended on when getting the successful logins recorded along with the hosts as well.
    use auxiliary/scanner/ssh/ssh_login
    msf auxiliary(ssh_login)>set rhosts 192.168.1.8
    msf auxiliary (ssh_login)>set port 22
    msf auxiliary (ssh_login)>set username vagrant
    msf auxiliary(ssh_login)>set pass_file /root/Desktop/dict.txt
    msf auxiliary(ssh_login)>set stop_on_success true
    msf auxiliary (ssh_login)> exploit
  • The credential as the username being “vagrant” while the associated password with it is “vagrant”. Furthermore, a shell of a victim is opened on a session on the attacker’s machine using SSH connection.

 

References

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://www.hackingarticles.in/perform-local-ssh-tunneling/

https://en.wikipedia.org/wiki/Tunneling_protocol

https://en.wikipedia.org/wiki/SOCKS

https://en.wikipedia.org/wiki/Comparison_of_proxifiers

https://en.wikipedia.org/wiki/TUN/TAP

http://www.hackingarticles.in/perform-remote-tunneling/

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://linux.byexamples.com/archives/115/ssh-dynamic-tunneling/

https://ypereirareis.github.io/blog/2016/09/19/ssh-tunnel-local-remote-port-forwarding/

https://coderwall.com/p/pmf0tw/understand-local-remote-and-dynamic-ssh-tunneling

http://www.hackingarticles.in/time-scheduling-ssh-port/

http://www.hackingarticles.in/web-server-exploitation-ssh-log-poisoning-lfi/

http://www.hackingarticles.in/metasploitable-3-exploitation-using-brute-forcing-ssh/

http://www.hackingarticles.in/secure-port-using-port-knocking/

https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/

https://en.wikipedia.org/wiki/RealVNC

https://nmap.org/

http://resources.infosecinstitute.com/metasploitable-2-walkthrough/#gref

https://www.vulnhub.com/entry/metasploitable-2,29/

https://github.com/rapid7/metasploitable3

How to perform Time Scheduling on an SSH Port?

How to perform Time Scheduling on an SSH Port? 

ssh port

A network administrator could further secure running services on a server by getting the tasks scheduled. SSH service could be scheduled as well when it comes to setting a timing limit of the run SSH service on the server. This basically adds another essential layer of security inside a network.

For the sake of accomplishing our desired task, we need to make use of the Linux utility named Cron. The unique thing about this utility is that it allows for a command or a script to get scheduled to get run automatically according to a particular time and date set before. The scheduled task is considered as the Cron’s job in the first place.

The following steps provide us with a comprehensive means of getting such time scheduling set up.

  • Open the terminal and type the following command to get the SSH service started
    Service ssh start
  • Make sure that the SSH service is active and running by typing the following command:
    Service ssh status
  • Since crontab is already a built-in utility inside a Linux operating system, so let’s load it using the following command using the root privileges:
    sudo crontab –e
  • The GNU nano will mostly be responsible for getting the crontab interface open on Linux.
  • It is very important to note that the type of commands used in Crontab is what is referred to as (m h dom mon dow [command]). To elaborate on such format, the following table displays the values which each field could take and vary between.
Field  value 
’m’ which stands for minute  0-59
‘h’ which stands for hour  0-23
‘dom’ which stands for date  1-31
‘mon’ whih stands for month  1-12
‘dow’ which stands for day of week  1-7[1 stands for Monday and then it goes up respectively]
command  the required command to be
  • Let’s consider an example where we need to set a task scheduled on Monday at 8:00 am. This is interpreted in terms of the m h dom mon dow language as:
    0 8 * * 1 [command]
  • Let’s get back to our original task where we need to get SSH service scheduled using crontab. Accordingly, if we need to get the SSH service activated for 3 minutes after which it will take 4 minutes without service. The command should then look like the following command
    * * * * * sleep 180;/usr/sbin/service ssh start

    is important to note that the number 180 is written in terms of seconds not anything else. This means that 3 minutes is, of course, equals to 3*60=180 seconds

  • Now, we need to get to make sure that the service is to stop 4 minutes right after running. Then, the number of seconds to be used= 4*60=240 seconds. The following command will be of a great use thereby.
    * * * * * sleep 240;/usr/sbin/service ssh stop
  • In order to make sure that the previous commands work, the following commands could be useful in this case. First, the service should be rebooted first of all. The following command will scan the port number 22 where SSH essentially works to know whether it is open or closed. One of the best tools to use for this kind of scanning is definitely Nmap.
    nmap  -p 22 127.0.0.1
  • The last command should show that the port is open when we test it. But, after waiting for 4 minutes, we should repeat the command again as follows:
    nmap  -p 22 127.0.0.1
  • This time, the last command should show that port number 22 is closed now after these 4 minutes. The fourth minute’s scan result will show that it is closed. This means that the schedule works very well!
  • Let’s now add some small modification into the last schedule which we just set. Let’s consider that we decided that such task is to get started at 06:00 am in the first place. And let’s be more specific and specify that the service is to get closed at 06:00 pm.
  • The following two commands will be responsible for the tasks of opening and closing the service respectively.
    0 6 * * * /usr/sbin/service ssh start
    0 18 * * * /usr/sbin/service ssh stop
  • This means that if we scan port number 22 using Nmap on any random day between 6 am in the morning and its counterpart in the evening, the port should be shown as an open one. Otherwise, the port should appear as a closed port.

 

Let’s get to know more about Nmap security tool:

ssh port

Network Mapper (Nmap) is one of the best security utilities used for the sake of performing a security audit or discover a network and its packages. Being a free software and an open source project, it has become very popular when it comes to network security and this field’s professionals.

It could be utilized for different purposes, from which the following list is given:

  • As a network inventory
  • The schedules of a service upgrade could be performed using the software as well.
  • A server or a host could be monitored to know whether it is up and running or down.
  • Raw IP packets are utilized by Nmap for the sake of getting to know:
  • which servers are up and running on the network and which of them are actually not.
  • Also, such raw packets are depended on when it comes to identifying the services of such hosts including the name and version of the applications.
  • Getting to know the operating system of such hosts gets known by Nmap as well.
  • Even the used firewalls or as they are referred to as packet filters can be known using Nmap.

While in fact, such software works the best when operating inside an extensive network, it still has the capability to work on a single host as desired. A lot of operating systems is supported to run such software such as Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more. In addition, Linux, Windows, and Mac OS X have their official binary packages of the software.

References

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://www.hackingarticles.in/perform-local-ssh-tunneling/

https://en.wikipedia.org/wiki/Tunneling_protocol

https://en.wikipedia.org/wiki/SOCKS

https://en.wikipedia.org/wiki/Comparison_of_proxifiers

https://en.wikipedia.org/wiki/TUN/TAP

http://www.hackingarticles.in/perform-remote-tunneling/

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://linux.byexamples.com/archives/115/ssh-dynamic-tunneling/

https://ypereirareis.github.io/blog/2016/09/19/ssh-tunnel-local-remote-port-forwarding/

https://coderwall.com/p/pmf0tw/understand-local-remote-and-dynamic-ssh-tunneling

http://www.hackingarticles.in/time-scheduling-ssh-port/

http://www.hackingarticles.in/web-server-exploitation-ssh-log-poisoning-lfi/

http://www.hackingarticles.in/metasploitable-3-exploitation-using-brute-forcing-ssh/

http://www.hackingarticles.in/secure-port-using-port-knocking/

https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/

https://en.wikipedia.org/wiki/RealVNC

https://nmap.org/

http://resources.infosecinstitute.com/metasploitable-2-walkthrough/#gref

https://www.vulnhub.com/entry/metasploitable-2,29/

https://github.com/rapid7/metasploitable3

How to Perform Remote SSH Tunneling?

What is Remote SSH Tunneling?

Remote SSH

There are two different ways to make a SSH tunnel. They are Local and Remote Port Forwarding. Here we will be talking about the remote ssh tunneling. Imagine that you belong to a company where there are a plenty of internal websites available only inside the network of such company. But you are in need of getting connected to these websites from outside the network by a remote machine. What could be the solution?

This situation could be suitable for using a VPN to get connected to the network of the company without any hassles. This solution though requires some work which could be out of hand and cannot be established at the moment. Creating a reverse remote SSH tunnel is the perfect choice in this case.

Now, the command should get executed on the work machine to get connected to the remote device and let’s call it home machine. The connection should consider the home machine as a client and the work machine as the remote SSH server. Yet, why should the configuration be on the work machine in the first place? Because the outbound traffic is allowed while the incoming traffic is blocking.

The following command will work perfectly for the desired solution:
ssh -R 9001:intra-site.com:80 home (Executed from 'work')

Please note that in the previous code snippet shows that a remote port forwarding is used “R” and the port to be forwarded is 9001 on the home machine while the remote host is that intra-site.com. And of course, the port to which forwarding happens is 80, and it resides on the work machine. Now all the requests of the home machine to utilize port 9001 of the work machine will lead to a connection to that internal website.

On the home machine, typing the following URL will simply open the website from home with no magic: http://localhost:9001

It is important to note that the channel between the work and the internal site is just not encrypted traffic, yet the connection between the work machine and the home machine is of course encrypted using SSH channel.

How can remote HTTP Tunneling be performed using SSH? 

Remote SSH

A remote SSH connection is to get established between a home machine and a work machine which can connect to the internal office server and any website there. Reading such documents could be done on the home machine as well through such remote SSH tunnel.

This enables anybody on the remote server to interface with TCP port 8080 on the remote server. The association will then be tunneled back to the customer have, and the customer at that point makes a TCP association with port 80 on localhost. Some other host name or IP address could be utilized rather than localhost to indicate the host to associate with.

Throughout the following lines, an HTTP connection is to get established between remote PC and client-server, where both machines do not belong to the same network. Let’s take the following five points for granted before we get to start essentially:

  1. There is an SSH server which is two Ethernet interface.
  2. The local IP address is 192.168.0.116
  3. While the IP address of the remote system is 192.168.0.100, residing outside of the network in the first place.
  4. The IP address of 192.168.10.1 is connected to another local network system of IP address of 192.168.10.2
  5. The Ubuntu client has the following IP address: 192.168.10.2

The following steps are to get followed for the sake of establishing the Remote SSH tunneling:

  1. open the terminal and type the following command to get the network configuration:
    ifconfig
  2. The configuration of SSH server should now show that there are two IP addresses connected:
    192.168.0.116 and 192.168.10.1
  3. The configuration of SSH server should also appear after typing the command mentioned above. The following IP address should appear as running as an SSH client on Ubuntu:
    192.168.10.2
  4. On the remote desktop, the command line prompt (cmd) could be used to know the IP for it, it should show in our case the IP address of:
    192.168.0.100
  5. Because we are using for this case HTTP tunneling, this means that the service will run on port 80 of Xampp server at localhost.
  6. If the website is WordPress, it shall then work on port 80.
  7. Such website could be reached by the SSH server through the following URL then:
    http://192.168.0.100/index.html
  8. The remote desktop will be connected to through such URL. This only holds for devices on the same network. Yet, if each of them resides on a different network from the other, then it will cause a problem.
  9. Let’s verify this fact by trying to communicate with the URL of http://192.168.0.100/index.html on Ubuntu client which is on another network. This connection will not get established due to the dissimilarities of each one’s network.
  10. Make use of PuTTY software now to get a connection established between remote desktop and Ubuntu client.
  11. Under “Host Name (or IP address)”, get the IP of “192.168.0.116” typed.
  12. Under “Port” section, type “22”. And choose the connection type as “SSH”
  13. Now, navigate to “Tunnel” residing under “SSH” in the left part of the screen titled “Category”
  14. Under “Port forwarding”, get the first option marked. It is the option of “Local ports accept connections from other hosts”.
  15. Besides “Source Port” type “7000”
  16. Choose the “Destination” as “127.0.0.1:80”
  17. Choose the connection as “Remote”
  18. Press “Add” in order to get these changes applied.
  19. Finally, press “Open” after getting done with the last point.
  20. The connection between the remote pc and the Ubuntu client now will happen in two consecutive stages. First, a connection between remote pc and SSH will get established. Then, such server will connect the remote desktop to the Ubuntu client.
  21. Browsing now on the following URL: http://192.168.0.116:7000/index.html will yield into opening the WordPress website through connecting to the localhost of the remote desktop, starting the SSH server on port 7000.
  22. Now, this means that we have done the task successfully and both the remote desktop and the Ubuntu client became connected.

 

References

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://www.hackingarticles.in/perform-local-ssh-tunneling/

https://en.wikipedia.org/wiki/Tunneling_protocol

https://en.wikipedia.org/wiki/SOCKS

https://en.wikipedia.org/wiki/Comparison_of_proxifiers

https://en.wikipedia.org/wiki/TUN/TAP

http://www.hackingarticles.in/perform-remote-tunneling/

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://linux.byexamples.com/archives/115/ssh-dynamic-tunneling/

https://ypereirareis.github.io/blog/2016/09/19/ssh-tunnel-local-remote-port-forwarding/

https://coderwall.com/p/pmf0tw/understand-local-remote-and-dynamic-ssh-tunneling

http://www.hackingarticles.in/time-scheduling-ssh-port/

http://www.hackingarticles.in/web-server-exploitation-ssh-log-poisoning-lfi/

http://www.hackingarticles.in/metasploitable-3-exploitation-using-brute-forcing-ssh/

http://www.hackingarticles.in/secure-port-using-port-knocking/

https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/

https://en.wikipedia.org/wiki/RealVNC

https://nmap.org/

http://resources.infosecinstitute.com/metasploitable-2-walkthrough/#gref

https://www.vulnhub.com/entry/metasploitable-2,29/

https://github.com/rapid7/metasploitable3

 

How to perform Local SSH Tunneling?

How to secure an SSH connection?

What is Local SSH Tunneling?

SSH Tunneling

What happens when local SSH Tunneling occur? Basically, the host and port values get translated to the host and port values of the remote end of the channel. In this way, a client application gets connected to the local endpoint of the channel while the remote one becomes connected to the remote end accordingly.

Let’s now take an example of local SSH tunneling and let’s see how effective it could be. Consider for instance that the company which you work for intentionally blocks using Facebook.com. Therefore, with regular internet access, such website cannot be reached by an innocent worker inside the company. However, such restriction could be simply bypassed by creating an SSH tunnel.

If the machine used inside a company is named “work”, then let’s call the remote machine as “home”. Now, “work” wants to get connected to “home” via an SSH channel. For such home machine will be utilized as a remote server for any services desired, it must be having a public IP to connect to in the first place. The following code should be executed on the work machine for the sake of getting the tunnel established.

ssh -L 9001:facebook.com:80 home
Please note that in the previous code snippet shows that a local port forwarding is used “L” and the local port to be forwarded is 9001 while the remote host is Facebook.com. And of course, the remote port is 80, and it resides on the home machine. In general, the syntax could be typed as the following:

-L <local-port-to-listen>:<remote-host>:<remote-port>
This means that the SSH client of the home machine gets connected to that of the work machine which usually happens on the port number 22. Local requests on the work machine are listened to through the binding of port 9001 to do so.

Connecting to Facebook.com then is not of the work machine’s business anymore. It is now in fact of the home machine’s since it will have to use port 80 to get connected to Facebook.com. It is also essential to get to know that when the home machine connects to Facebook.com, it does so without any encryption.

Connecting now to the work machine into this link http://localhost:9001 on the browser will definitely yield a connection into the home machine where Facebook.com gets loaded. So, thinking about it this way, such remote device at home could be simply perceived as a gateway which facilitates the connection between the work machine and Facebook.com. The full general syntax snippet of code becomes like the following then.

ssh -L <local-port-to-listen>:<remote-host>:<remote-port><gateway>

SSH Tunneling

It is even possible that a port in the home computer could be used instead of getting connected to an external host. The following syntax could be used in this case.

-L 5900:localhost:5900 home (Executed from ‘work’)
A good question now is: what does such line of code do? A connection gets established to port 5900 on the home machine where a VNC client could listen freely. All data from any kind could be transferred using this method such that it is not the browsing sessions which are to be transferred through such a tunnel.

Hence, depending on such methodology, SSH sessions could be tunneled as well. This is very effective when there is a banned computer to create SSH session with. Such banned computer could be connected to the host through an SSH tunnel using local port forwarding. Such local port forwarding could be executed using the following command as encryption happens to the transferred data between the work machine and banned machine.

ssh -L 9001:banned:22 home
And it is important to start the SSH service on 9001 from where the session
will get tunneled to the banned computer via the home machine.

ssh -p 9001 localhost

How can local SSH Tunneling be performed? 

SSH Tunneling

A good thing about local SSH tunneling is that a computer not connected to the internet could be communicated with through this methodology. While dynamic tunneling needs SOCKS proxy in order to get all the TCP traffic tunneled, local tunneling needs the IP address of the destination machine.

Throughout the following lines, we will be establishing a connection between a remote PC and a local system of a different network. Let’s take the following five points for granted before we get to start essentially:

  1. There is an SSH server which is two Ethernet interface.
  2. The local IP address is 192.168.1.217,
  3. While the IP address of the remote machine is 192.168.1.219
  4. The IP address of the 192.168.10.2 is connected to the local network system 192.168.10.2
  5. The IP address of the SSH client is basically 192.168.10.2

 

The following steps are to get followed for the sake of establishing the Local SSH tunneling:

  1. Open the terminal and type the following command to get the network configuration:
    ifconfig
  2. The configuration of SSH server should now show that there are two IP addresses connected:
    192.168.1.217 and 192.168.10.1
  3. The configuration of SSH server should also appear after typing the aforementioned command. The following IP address should appear as running as an SSH client:
    192.168.10.2
  4. When the remote PC which has the IP address of 192.168.1.219 attempts to get connected to the SSH server having the IP address of 192.168.1.217, it will get a successful login inside server through port 22.
  5. However, if the same remote machine of the IP address of 192.168.1.219 tries to get connected to the SSH client of the IP address of 192.168.10.2, a network error will appear since both machines belong to a different network from the other one.
  6. Let’s now use of PuTTY software to get the SSH local tunneling established.

 

7. Get connected to the SSH server of the IP address of 192.168.1.22 through port number    22

8. Navigate to the left column of “Category” and choose “SSH” under which “Tunnel” should     be clicked on.

9. Then, inside the “Source port” type 7000 for instance.

10. Then, inside the “Destination” type 192.168.10.2:22

11. Click on “Local” then now press “Add”.

12. After it is done with the process. Press “Open”.

13. Now, the connection between a remote pc and an SSH server should be on.

14. Open the PuTTY software again or just a new window of it.

15. Under “Host Name (or IP address)” type a name for this hostname; for example, just       type “localhost”.

16. Under “Port” type “7000” which we configured before.

17. Now, trying to connect to the SSH client will yield a connection with no network error.        This will be performed successfully. Congratulations!!

 

References

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://www.hackingarticles.in/perform-local-ssh-tunneling/

https://en.wikipedia.org/wiki/Tunneling_protocol

https://en.wikipedia.org/wiki/SOCKS

https://en.wikipedia.org/wiki/Comparison_of_proxifiers

https://en.wikipedia.org/wiki/TUN/TAP

http://www.hackingarticles.in/perform-remote-tunneling/

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://linux.byexamples.com/archives/115/ssh-dynamic-tunneling/

https://ypereirareis.github.io/blog/2016/09/19/ssh-tunnel-local-remote-port-forwarding/

https://coderwall.com/p/pmf0tw/understand-local-remote-and-dynamic-ssh-tunneling

http://www.hackingarticles.in/time-scheduling-ssh-port/

http://www.hackingarticles.in/web-server-exploitation-ssh-log-poisoning-lfi/

http://www.hackingarticles.in/metasploitable-3-exploitation-using-brute-forcing-ssh/

http://www.hackingarticles.in/secure-port-using-port-knocking/

https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/

https://en.wikipedia.org/wiki/RealVNC

https://nmap.org/

http://resources.infosecinstitute.com/metasploitable-2-walkthrough/#gref

https://www.vulnhub.com/entry/metasploitable-2,29/

https://github.com/rapid7/metasploitable3

How to Perform Dynamic SSH Tunneling?

What is Dynamic SSH Tunneling?

One of the most effective SSH tunneling methods is the dynamic tunneling. Through such method, different remote destinations could simply get tunneled into. How does this actually happen? It actually utilizes one port for the sake of opening SOCKS service on it. Then, an application could depend on such port when sending its own traffic. The client side should get a SOCKS proxy created which gets utilized by an application to determine the destination of the traffic when it leaves the other end of the SSH tunnel. The following command is to be typed on the work machine.

ssh -D 9001 home (Executed from ‘work’)

It is important to understand the previous command very well. The “D” actually refers to the dynamic SSH tunneling. SSH here is used for the sake of creating SOCKS proxy which listens for all connections at port number 9001. All the requests then get routed towards work and home machines depending on the direction. Such connection happens through an encrypted SSH channel. For this, it is required to configure the browser to point to the SOCKS proxy at port 9001 at localhost.

How can SOCKS relate to SSH tunnels?
SSH Tunneling

In fact, SOCK5 represents a means to secure a connection between two remote devices where SSH is used to establish a connection between them both. So, what is the difference between SSH and SOCKS in this regard? Mainly in order to establish an SSH service or connection, it has to specify a specific port on a remote machine. However, SOCKS can allow an entire application to be run remotely through using the SOCKS proxy server which is local. Specifying a particular remote server or remote port to get connected into is no longer the case when dealing with SOCKS, which gives a comparably more freedom for its user.

Let’s consider now the case when an application does not support SOCKS in the first place! What could be the solution in such case? There is what is referred to as a proxifier. The idea behind such software is that it is a mere software program which opens the door for any other program to get connected through a proxy server even if such program does not support it. This is done by getting the network requests of such programs intercepted and modified before passing through the proxy server. In this manner, an application gets redirected into a local SOCKS proxy server. SSH is supported directed by some proxifiers such as Proxycap. This means that the need of an SSH client becomes vanished when using such a proxifier.

How can dynamic SSH Tunneling be performed? 

SSH Tunneling

Throughout the following lines, we will walk through the methodology to establish a connection between a remote machine and another local system residing on a different network. Let’s take the following five points for granted before we get to start essentially:

  1. There is an SSH server which is two Ethernet interface.
  2. The local IP address is 192.168.1.22
  3. While the IP address of the remote system is 192.168.1.21, residing outside of the network in the first place.
  4. The IP address of 192.168.10.2 is connected to another local network system of IP address of 192.168.10.2
  5. The SSH client has the following IP address: 192.168.1.21

 

The following steps are to get followed for the sake of establishing the Remote SSH tunneling. A remote machine having an IP address of 192.168.1.21 attempts to get connected to a local machine at work network of IP address 192.168.10.2. Such attempt gets denied due to the fact that there is a firewall block occurring against such incoming traffic. In order for a remote machine to get connected to a local machine inside a network, the remote machine will connect to an SSH server inside the network, which will forward the connection to an SSH client which is local inside the network. It is important in the first place that both the SSH client and SSH server have their SSH service activated on them.

  1. Open the terminal and type the following command to get the network configuration:
    ifconfig
  2. The configuration of SSH server should now show that there is two IP address connected:
    192.168.1.22 and 192.168.0.1
  3. The configuration of SSH server should also appear after typing the aforementioned command. The following IP address should appear as running as an SSH client on Ubuntu:
    192.168.10.2
  4. When the remote PC which has the IP address of 192.168.1.21 attempts to get connected to the SSH server having the IP address of 192.168.1.22, it will get a successful login inside server through port 22.
  5. However, if the same remote machine of the IP address of 192.168.1.21 tries to get connected to the SSH client of the IP address of 192.168.10.2, a network error will appear since both machines belong to a different network from the other one.
  6. Let’s use of PuTTY software to get the SSH local tunneling established.

 

7. Get connected to the SSH server of the IP address of 192.168.1.22 through port number  22

8. Navigate to the left column of “Category” and choose “SSH” under which “Tunnel” should be clicked on.

 

9. Then, inside the “Source port” type 7000 for instance.

10. Click on “Dynamic” then now press “Add”.

11. After it is done with the process. Press “Open”.

12 Now, the connection between a remote pc and an SSH server should be on.

13 Open the PuTTY software again or just a new window of it.

14 Under “Host Name (or IP address)” type “192.168.10.2”

15 Under “Port” type “22” for the SSH service

16 “Open” should be pressed now.

17 Open the previously used window of PuTTY again now.

18 Navigate to the left column of “Category” and choose “Connection” under which “Proxy” should be clicked on.

19 Then, inside the “Proxy type” select “SOCKS5”

20 Under “Host Name (or IP address)” type “127.0.0.1”

21 Under “Port” type “7000” which was previously configured.

22 Now, “Open” should be pressed.

23 Now, trying to connect to the SSH client will yield a connection with no network error. This will be performed successfully. Port 7000 is the used port in such methodology. Congratulations!!

 

References

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://www.hackingarticles.in/perform-local-ssh-tunneling/

https://en.wikipedia.org/wiki/Tunneling_protocol

https://en.wikipedia.org/wiki/SOCKS

https://en.wikipedia.org/wiki/Comparison_of_proxifiers

https://en.wikipedia.org/wiki/TUN/TAP

http://www.hackingarticles.in/perform-remote-tunneling/

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://linux.byexamples.com/archives/115/ssh-dynamic-tunneling/

https://ypereirareis.github.io/blog/2016/09/19/ssh-tunnel-local-remote-port-forwarding/

https://coderwall.com/p/pmf0tw/understand-local-remote-and-dynamic-ssh-tunneling

http://www.hackingarticles.in/time-scheduling-ssh-port/

http://www.hackingarticles.in/web-server-exploitation-ssh-log-poisoning-lfi/

http://www.hackingarticles.in/metasploitable-3-exploitation-using-brute-forcing-ssh/

http://www.hackingarticles.in/secure-port-using-port-knocking/

https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/

https://en.wikipedia.org/wiki/RealVNC

https://nmap.org/

http://resources.infosecinstitute.com/metasploitable-2-walkthrough/#gref

https://www.vulnhub.com/entry/metasploitable-2,29/

https://github.com/rapid7/metasploitable3

How to secure an SSH connection?

Quick Background about SSH:

SSH

SSH is actually a cryptographic network protocol. It works for the application layer of the Network suite. But what is it for then? It is mainly used for operation over a network which is not secured. Computer systems, for example, could be accessed remotely by users through such network protocol.

The architecture utilized by SSH protocol has the form of a client-server basis. An SSH server is connected to through an SSH client. While most of the applications support login through command-line and remote command execution, it has the ability to work for any network service as long as one of the two versions are used: SSH-1 and SSH-2.

Quick Background about PuTTY:

SSH

PuTTY on its own has no meaning, yet it is free and open-source software, In fact, it is a terminal emulator, serial console, and network file transfer application. Plenty of network protocols are supported through such application such as Secure Copy (SCP), Secure Shell, Telnet, Rlogin, and raw socket connection. Moreover, a serial port could be connected by PuTTY.

Netcat

SSH

Reading from and writing to a network connection through protocols like Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) are always considered a great step for both a security administrator or an attacker. Both of these categories of individuals utilize whatever data they get for an entirely different purpose than the other.

Netcat provides an efficient means of investigating a network from the back-end side –servers– and further establish any new connection inside networks using the protocols mentioned above. It has the capability to be run on its own or through scripts or other programs.

Kali Linux

ssh_kali

One of the most important security tools to understand and work very well is, in fact, Kali Linux. But let’s discuss its benefits in a nutshell.

⦁ Penetration testing and digital forensics always consider such tool as an essential one for their purposes.
⦁ It provides its user with a variety of tools and functions which are categorized into thirteen categories:
⦁ Information Gathering such as Dmitry
⦁ Vulnerability Analysis like Inguma
⦁ Tools for exploitation as Metasploit Framework
⦁ Wireless Attacks like WIFI Honey
⦁ Forensics such as Binwalk
⦁ Web Applications like Skipfish
⦁ Stress testing like FunkLoad
⦁ Sniffing and Spoofing as Wireshark
⦁ Password attacks like done by TrueCrack
⦁ Maintaining Access such as Intersect
⦁ Hardware hacking performed by dex2jar for instance
⦁ Reverse Engineering for which Apktool, for example, can be used
⦁ Reporting tools as MagicTree

How to setup an SSH server using port forwarding? 

ssh server

  1. Get the terminal opened and then inside it the following command should be simply typed to install an SSH server:
    sudo apt-get install openssh-server
  2. Get the SSH service started and running now through the following command:
    service ssh start
  3. It could be made sure of being working through the following command now:
    service ssh status
  4. Nmap should be used now inside Kali Linux’s terminal where scanning it could be performed through the next command:
    nmap -sV 192.168.1.17
  5. Such scanning shall show the port number 22 as an open port. PuTTY should be used now to configure such port. To accomplish such configuration successfully, the IP address should be typed under the “Host Name”. In addition, the port number should be set to be 22. It should be now selected and then “Open” should be clicked.
  6. Now, the password should be typed and then “Enter” should be pressed when done typing the password.

How can one secure an SSH connection?

ssh secure

  1. Get its service configured first of all.
  2. Let’s try port forwarding now. Open a file named ““sshd_config” which resides inside the following directory: computer>etc>ssh
  3. very port numbered 22 should be edited and altered into 2222 instead. This is basically done for the sake of forwarding SSH service from port 22 to port 2222.
  1. Nmap should be able to assure us of such forwarding using:
    nmap -sV 192.168.1.17
  2. An alternative way for the sake of such assurance depends on Telnet using the following command. This port will be shown whether it is open or not. Plus, the type of connection it is listening to will be displayed as well.
    telnet 192.168.1.17 2222
  3. Netcat could be also used for this sake of assurance using the following command. This will also display the current service running on port 2222.
    nc 192.168.1.17 2222

How to set SSH Connection using PGP Keys?

ssh pgp

  1. PuTTy key generator should be downloaded first of all and then installed.
  2. Get it open and then “Generate” should be clicked on now.
  3. A public key along with a private key will get generated. Get the private key saved for further reference. This is important. The file containing it could be renamed with any desired naming.
  4. Get the Linux terminal opened now and the following command should be typed now:
    ssh-keygen
  5. A folder called “.ssh” gets now created as a result of the previous command. Inside it, get a text file named “authorized_keys” created.
  6. Inside the same folder, a file named “ssh login key.ppk” should get copied.
  7. The .ssh folder should be now moved into inside the terminal. For this sake, the following command should be used.
    puttygen –L “ssh login key.ppk”
  8. This will yield in getting a key generated. The key should then get copied into the empty created with the authorized_keys.
  9. Inside PuTTY configuration, an Auto-login username should be entered under the Data section.
  10. The SSH login key which is essentially the private key could have its path changed under SSH>Auth.
  11. Both the IP address and the port number 2222 should now both be typed in their respected places under the Session tab.

 

12. Now, “Open” should be clicked, and then the password should be typed now and    “Enter” should be pressed through the keyboard.

alice

13. Getting the password entirely disabled will help improve the security level. This will enhance our security and stop us from being vulnerable by a hacking method of a  password. Opening “sshd_config” inside computer>etc could allow us to disable this aspect.

14. Inside this file, password authentication should be changed from yes to no. It is set by default as yes and the line is commented. So, uncommenting the line is important as well  in this step.

References

http://www.hackingarticles.in/setup-ssh-pentest-lab/

http://www.hackingarticles.in/secure-ssh-port-using-port-forwarding-beginner-guide/

http://www.hackingarticles.in/perform-local-ssh-tunneling/

http://www.hackingarticles.in/time-scheduling-ssh-port/

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/