Linux
SSH Hijacking with ControlMaster
ControlMaster allows to share multiple SSH sessions of a single Network Connection. Enabled by having a "~/.ssh/config" file:
This stores the socket file as <user>@<host>:<port>
in ~/.ssh/cm
. ControlPersist declares how long this file should exist after the last connection is closed. When a victim SSHs into a target, this file will be created and we can use it to piggyback into the target as well:
This technique only allows to ssh into the specific servers we have socket files for.
SSH Hijacking with SSH Agent Forwarding
In this scenario a user connects to a target server via an intermediate server that forwards the connection. The attacker is on the intermediate server. This requires ForwardAgent yes
in the users SSH config & AllowAgentForwarding yes
in sshd_config. The compromised user needs to have an active connection to the intermediate server at the time of exploitation.
This technique allows to SSH into any server the users "cached keys" have access to.
Kerberos
Setup on Linux Attacker Box
Add target box to /etc/hosts and install:
/etc/krb5.conf
General
All (or nearly all?) impacket tools support "-k" parameter and can use kerberos, e.g. "GetUserSPNs.py", "GetADUsers.py", "getST.py".
Ldapsearch
Ldapsearch using Kerberos authentication:
CCACHE
Check /tmp for krb5* files. We can directly use these if we can access them after making a copy and changing ownership to our user:
Keytab
Keytab files are sort of stored kerberos principal names & keys for scripts. Create via:
Use via:
Last updated