Guide for basic SSH usage and SSH Port Forwarding.
- Basic SSH
- SSH Port Forwarding
1 ssh USER@HOST_IP -p 2222
-pto specify the port (22 is default)
1 ssh -i PRIVATE_KEY USER@HOST_IP
1 scp local_file.txt USER@HOST_IP:/tmp/remote_file.txt
1 scp USER@HOST_IP:/tmp/remote_file.txt local_file.txt
1 ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-ctr USER@HOST_IP
Check Authentication Methods
1 nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=<username>" <target>
Check Supported Algorithms
1 nmap -p 22 --script ssh2-enum-algos <target>
Check Supported SSH Versions
1 nmap -p 22 -sV -sC <target>
Retrieve Host Key
1 nmap -p 22 --script ssh-hostkey --script-args ssh_hostkey=all <target>
SSH Port Forwarding
Let’s say a remote host has an application listening on
localhost:3000 and you want to connect to it from your local computer. Perhaps it’s a database listening on localhost and you don’t want it exposed to the network/internet.
Using a Local Port Forward we can setup a listener on our local computer, which when we connect to will go through the SSH tunnel to the listener on the remote host.
Here is the command that will allow us to do that:
1 ssh -L 1337:localhost:3000 USER@REMOTE_HOST_IP
This command will setup a listener on your local machine on
localhost:1337. Connecting to this will be the same as if you connected to
localhost:3000 on the remote host.
Let’s say you have an application listening on
localhost:9595 on your local computer and your friend wants to connect to your application. However, both you and your friend home networks are behind CGNAT so you can’t directly connect to each other or setup normal router port forwards.
With an additional internet facing server (VPS such as an EC2 instance), you can do the following:
On your computer:
1 ssh -R 9000:localhost:9595 USER@REMOTE_HOST_IP
This command will setup a listener on the remote host on
localhost:9000. Connecting to the remote host on
localhost:9000 will be the same as if you connected to
localhost:9595 on your local machine.
This situation is now the same as a Local Port Forward. The remote host is now listening on
localhost:9000. Your friend can now create a new listener on their computer using a Local Port Forward.
On your friends computer:
1 ssh -L 1337:localhost:9000 USER@REMOTE_HOST_IP
For the above example we had todo two port forwards, this isn’t ideal is some cases. Ideally we would like to setup a listen on a specific interface or on
0.0.0.0. However, when we do an SSH Port Forward, the default listener is on
127.0.0.1. To change this and allow it to listen on all interfaces, we need to enabled the
GatewayPorts options on the SSH Server and restart it.
When setting up a dynamic SSH port forward, a SOCKS server is created that is enclosed by an SSH tunnel. This allows arbitrary TCP connections to be proxies through the target server.
For example, if you were in on network and needed to access resources that were only accessible through a jump host, you could use a dynamic SSH port forward to access them. After setting up the port forward with the below command, a SOCKS proxy server will be listen on port
1080 (the default SOCKS port) on the local computer. Arbitrary programs can now use the SOCKS proxy to access the restricted resources as the connections will be coming from the jump host (which is allowed to communicate with said resources).
1 ssh -D 1080 USER@REMOTE_HOST_IP