Skip to content

Instantly share code, notes, and snippets.

@int0x80
Created January 7, 2021 00:59
Show Gist options
  • Select an option

  • Save int0x80/9e7b096684dd37c478198404d171aa3f to your computer and use it in GitHub Desktop.

Select an option

Save int0x80/9e7b096684dd37c478198404d171aa3f to your computer and use it in GitHub Desktop.

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld

user@internal:~$ hostname -f
internal.company.tld

This post explains it well and details the safer ssh -J alternative.

@wvu

wvu commented Jan 7, 2021

Copy link
Copy Markdown

👋 ❤️

Adding to this, ssh-add(1) can be used to list/manage identities. :)

root@[redacted]:~# SSH_AUTH_SOCK="/tmp/ssh-[redacted]/agent.[redacted]" ssh-add -l
256 SHA256:[redacted] [redacted].key (ED25519)
root@[redacted]:~#

The above example lists the fingerprints and private key filenames for a particular agent.

This technique works on both local and forwarded agents!

@int0x80

int0x80 commented Jan 7, 2021

Copy link
Copy Markdown
Author

Fantastic recon technique! Thank you for the additional knowledge @wvu-r7 ❤️

@wvu

wvu commented Jan 7, 2021

Copy link
Copy Markdown

Likewise! Thank you for sharing.

@0xdade

0xdade commented Jan 7, 2021

Copy link
Copy Markdown

Slightly tangential, but related to abusing ssh configurations for lateral movement:

Look for ControlMaster auto and ControlPath in ssh config files. You can use the ControlPath to find control sockets that are currently open to remote servers, then ssh to that same remote server, usually without having to reauthenticate or go through 2FA.

The down side to this is that you're multiplexed using the first connection, so if the first connection gets terminated then your connection also goes down. So maybe have something handy to be ready to drop backup keys (~/.ssh/authorized_keys2 is often still a valid keys file and not usually clobbered by host configuration tools like chef/puppet/salt/etc) or otherwise establish persistence once you ride-along.

@wvu

wvu commented Jan 7, 2021

Copy link
Copy Markdown

That's also a great one, @0xdade! Thanks for the share. I guess while we're at it, haha...

Kerberos authentication can also be leveraged for lateral movement, often with SSH. The KRB5CCNAME environment variable can be set to the path of a user's credentials (ticket) cache, usually in /tmp. klist(1) can be used to view the cache.

@int0x80

int0x80 commented Jan 7, 2021

Copy link
Copy Markdown
Author

@0xdade great add! I may have run into those in a former life 😉 Sometimes I have to remember to check /etc/ssh/ssh_config in addition to the home directory ~/.ssh/config files.

@wvu-r7 holy smokes, TIL! Can't wait to hit a Windows machine with this.

@wvu

wvu commented Jan 7, 2021

Copy link
Copy Markdown

Both ssh -L and -R can forward Unix sockets, too. Might be useful when performing SSH gymnastics.

@dandare100

Copy link
Copy Markdown

Thank you, this is cool stuff.
There are quite a few operations defined in the agent-forwarding spec.

A particularly interesting one is using the agent to perform private key signing operations, without having access to the key itself.

Here is a simple POC that shows this in action

https://github.com/dandare100/agentstub

@wvu

wvu commented Jan 7, 2021

Copy link
Copy Markdown

Wish I could react to gist comments. Thanks for the contribution!

@int0x80

int0x80 commented Jan 9, 2021

Copy link
Copy Markdown
Author

@dandare100 TIL! Thank you for sharing that.

@dandare100

Copy link
Copy Markdown

cool runnings

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment