Guide for basic SSH usage and SSH Port Forwarding.
Basic SSH
Connect to Host
1
ssh USER@HOST_IP -p 2222
-pto specify the port (22 is default)
Connect to Host with Private Key
1
ssh -i PRIVATE_KEY USER@HOST_IP
Copy Files to Host
1
scp local_file.txt USER@HOST_IP:/tmp/remote_file.txt
Copy Files from Host
1
scp USER@HOST_IP:/tmp/remote_file.txt local_file.txt
Connect to Host with Certain KeyExchange & Cipher
1
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-ctr USER@HOST_IP
SSH Algorithms
Run the below commands to get the supported Cipher, MAC, & Key Exchange algorithms respectively:
1
2
3
ssh -Q cipher
ssh -Q mac
ssh -Q kex
Nmap Scanning
Check Authentication Methods
1
nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=<username>" <target>
Check Supported Encryption Algorithms
1
nmap -p 22 --script ssh2-enum-algos <target>
Check Supported SSH Versions
1
nmap -p 22 -sV -sC <target>
Retrieve Host Key
1
nmap -p 22 --script ssh-hostkey --script-args ssh_hostkey=all <target>
SSH Port Forwarding
Local SSH Port Forward
Let’s say a remote host has an application listening on localhost:3000 and you want to connect to it from your local computer. Perhaps it’s a database listening on localhost and you don’t want it exposed to the network/internet.
Using a Local Port Forward we can setup a listener on our local computer, which when we connect to will go through the SSH tunnel to the listener on the remote host.
Here is the command that will allow us to do that:
1
ssh -L 1337:localhost:3000 USER@REMOTE_HOST_IP
This command will setup a listener on your local machine on localhost:1337. Connecting to this will be the same as if you connected to localhost:3000 on the remote host.
Remote SSH Port Forward
Let’s say you have an application listening on localhost:9595 on your local computer and your friend wants to connect to your application. However, both you and your friend home networks are behind CGNAT so you can’t directly connect to each other or setup normal router port forwards.
With an additional internet facing server (VPS such as an EC2 instance), you can do the following:
On your computer:
1
ssh -R 9000:localhost:9595 USER@REMOTE_HOST_IP
This command will setup a listener on the remote host on localhost:9000. Connecting to the remote host on localhost:9000 will be the same as if you connected to localhost:9595 on your local machine.
This situation is now the same as a Local Port Forward. The remote host is now listening on localhost:9000. Your friend can now create a new listener on their computer using a Local Port Forward.
On your friends computer:
1
ssh -L 1337:localhost:9000 USER@REMOTE_HOST_IP
Gateway Ports
For the above example we had todo two port forwards, this isn’t ideal is some cases. Ideally we would like to setup a listen on a specific interface or on 0.0.0.0. However, when we do an SSH Port Forward, the default listener is on 127.0.0.1. To change this and allow it to listen on all interfaces, we need to enabled the GatewayPorts options on the SSH Server and restart it.
Dynamic SSH Port Forward
When setting up a dynamic SSH port forward, a SOCKS server is created that is enclosed by an SSH tunnel. This allows arbitrary TCP connections to be proxies through the target server.
For example, if you were in on network and needed to access resources that were only accessible through a jump host, you could use a dynamic SSH port forward to access them. After setting up the port forward with the below command, a SOCKS proxy server will be listen on port 1080 (the default SOCKS port) on the local computer. Arbitrary programs can now use the SOCKS proxy to access the restricted resources as the connections will be coming from the jump host (which is allowed to communicate with said resources).
1
ssh -D 1080 USER@REMOTE_HOST_IP
A SOCKS proxy can also be setup through an RDP connection using the SocksOverRDP tool from NCC Group. This version of the RDP client may need to be used for the latest version of RDP