Download HD Download MP4

SSH Remote Forwarding: Relay local apache server through tunnel

# install apache server
darren@dk10$ sudo apt-get install apache2
# browse to http://localhost
# Relay port 8080 on remote host to 80 on local host
darren@dk10$ ssh -R 8080:localhost:80 aardwolf@relay.wifipineapple.com
# browse to http://relay.wifipineapple.com:8080

SSH Local Forward: Relay remote VNC server through tunnel

# install vnc client
darren@dk10$ sudo apt-get install vncviewer
# vnc to server without SSH (bad idea)
darren@dk10$ vncviewer rrs5204q6n.hak5.org:1
# setup SSH local forward
darren@dk10$ ssh -L 5901:localhost:5901 aardwolf@rrs5204q6n.hak5.org
# vnc to server through ssh tunnel
darren@dk10$ vncviewer localhost:1

Maintaining Persistent SSH tunnels in Linux

AutoSSH is a simple and effective utility for monitoring and maintaining persistent SSH connections, restarting the session as necessary. It can be downloaded from http://www.harding.motd.ca/autossh/ and is available for most *nix platforms. On Ubuntu:

# Install autossh
darren@dk10$ sudo apt-get install -y autossh
# The autossh -M option specifies which port to monitor the connection from
# The -N option is a regular openssh parameter which is passed from autossh to ssh, specifying that there is no remote command to execute.
# The & tells the shell, bash in our example, to run the command in the background.
darren@dk10$ autossh -M 20000 -N aardwolf@relay.wifipineapple.com &
# To find the process ID where autossh is running
darren@dk10$ pidof autossh
# And finally to stop autossh
darren@dk10$ kill `pidof autossh`

Maintaining Persistent SSH tunnels in Linux

• First of all we need to cover Plink. Short for Putty Link, the plink utility is the command-line equivalent to Putty on Windows. We'll be using this today along with another to in order to keep an SSH tunnel persistent.
• Here's an example of a plink SSH tunnel. We start by launching pageant and entering our passphrase. Now that our private key is in memory we can use plink to start an SSH tunnel from the command line.
• So open up CMD, navigate to where your plink utility is. For me that's by running "cd putty"
• Now run plink.exe -- you'll be greeted by a whole list of options for this command line utility.
• To start a simple Dynamic SOCKS proxy I'll enter:
• plink -D 8080 snubsie@peanut.hak5.org -agent
• The -D says make it a Dynamic SOCKS proxy on my local port 8080 and the -agent says to use pageant for the private key file.
• And there we go, a command to start our SOCKS proxy for all our tunneling enjoyment. Of course if the SSH connection is dropped we'll be all sad pants -- especially if we're using the tunnel to watch the BBC or something.
• And while autossh *is* available for Windows, sort of, it isn't exactly the easiest to setup. AutoSSH, the Linux program, can be run in Windows using Cygwin -- a Linux environment for Windows. If that suits your fancy, have at it. There's a decent tutorial for setting that up.
• That said I'm more interested in using native Windows programs. Thankfully a similar setup to autossh can be achieved using plink with the help of a little utility called MyEnTunnel.
• Short for My Encrypted Tunnel, MyEnTunnel is a windows utility that lives in the system tray, or can be run as an NT service in the background, that quietly watches Plink sessions and restarts them as necessary.
• MyEnTunnel is available from http://nemesis2.qx.net/pages/MyEnTunnel as freeware.

Download HD Download MP4

In this episode Darren and Shannon break down reverse shells via proxy. The network scenario is that of two devices on disparate networks who's firewalls won't allow inbound connections. Typically this is a NAT router that you haven't access to. Assuming both devices can create outbound connections, which is commonly the case, we'll configure an SSH server to act as a relay for our reverse shell.

In this scenario three hosts are involved. First is our WiFi Pineapple, which is the device we'll be getting the reverse shell from -- meaning we'll be able to login to a terminal on this machine. In our example it is connected to the Internet by way of a 3G/4G modem which our carrier firewalls. Using AutoSSH -- a tool to maintain a persistent SSH connection -- we establish a connection back to our second host, relay.hak5.org. In turn our third host, my laptop (hostname: dk10) connects to relay.hak5.org as well.

## browse to 172.16.42.1/ssh.php (WiFi Pineapple) and Generate Key
##SSH Into WiFi Pineapple
## Establish connection to relay adding key fingerprint to known_hosts on pineapple
root@pineapple# ssh user@relay.wifipineapple.com
## Refresh ssh.php showing known_hosts. Copy RSA key string from "rsa" to "root@pineapple"
## From new session on relay, paste RSA key into authorized_keys file
user@relay$ echo "" >> ~/.ssh/authorized_keys
## Logout of the relay
user@relay$ exit
## Demonstrate how without the -i option ssh on the pineapple will still prompt for password
root@pineapple# ssh user@relay.wifipineapple.com #this will prompt for passwd
## Demo how to properly SSH into a host with a dropbear RSA key
root@pineapple# ssh user@relay.wifipineapple.com -i /etc/dropbear/id_rsa
user@relay$
## Configure SSHD to allow TCP Forwarding **Necessary for Server Admin Only**
## Become root
user@relay$ sudo -i
## Add settings to sshd config file
root@papaya# echo "AllowTcpForwarding yes" >> /etc/ssh/sshd_config
root@papaya# echo "GatewayPorts yes" >> /etc/ssh/sshd_config
## Restart SSH Daemon
root@papaya# /etc/init.d/ssh restart
## Logout of root
root@papaya# exit
## Logout of relay completely
user@relay$ exit
## Update SSH Connection Command from 172.16.42.1/ssh.php to reflect username and host
## Enable SSH on boot and SSH keepalive, then click Connect
## From localhost (your laptop) SSH into the newly configured WiFi Pineapple via the relay
## Demonstrate technique one: SSH from SSH (not as sexy)
darren@dk10$ ssh user@relay.wifipineapple.com
user@relay$ ssh root@localhost -p 4255
## Logout of both pineapple and relay
root@pineapple# exit
user@relay$ exit
## Demonstrate technique two: Single SSH session
darren@dk10$ ssh root@relay.wifipineapple.com -p 4255

SSH and SOCKS5 Proxy Follow-up

MetalX1000 writes regarding SSHFS from the command line in Linux

OK, I love that you showed how to do it this way. But, for the Shannon's of the world who need a GUI, you can always just open Nautilus and in the location bar type ""sftp://user@server"" and then make a short cut to that in the left side bar of Nautilus.

Thanks for the tip MetalX1000. We demonstrated on the show one more technique. From Gnome2's "Places" menu click Connect to Server and select SSH.

Spectrakid writes regarding setting up an SSH Server on Linux and "apt-get install ssh"

I thought you needed the ""openssh-server"" package to set up a ssh server in Debian based systems........ssh is a metapackage that simply depends on openssh-server & openssh-client

There are about as many ways to skin a cat in Linux as there are dependency issues ;-)

wirerat1 writes regarding keeping connections alive

ClientAliveCountMax 0 does not do what he thinks it does.

True, it doesn't do what it claims to do.

From the MAN Page:

ClientAliveCountMax sets the number of client alive messages (see below) which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive (below). The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive.
The default value is 3. If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the default, unresponsive ssh clients will be disconnected after approximately 45 seconds.

Meaning a ClientAliveCountMax 0 should continue sending Keep Alive messages over the SSH connection for every ClientAliveInterval forever, but in practice, it doesn't. I've started using 99999 as my value of choice, however I'm sure there's a better way.

Steven writes regarding Pageant and Putty

In Putty you don't need the pageant program to use the private key. Select your profile and hit load so that you can edit the profile. On the right go to SSH -> Auth. There you will find ""Private file for authentication"", hit browse and select your private key. Go back to Session. Select your profile and hit save. Next time you open a connection putty will automatically use the key. Note: The key will not be stored in memory so you'll need to enter the passphrase each time you connect to the server.

Download HD Download MP4

SSHFS on Linux

As Darren demonstrates in Linux the setup is quite simple. Begin by installing SSHFS. From ubuntu that's "sudo apt-get install sshfs". Once installed your user will need to be added to the fuse group, so issue "sudo gpasswd -a $USER fuse". The $USER is an environment variable which will be replaced with your username on execution. Issue "whoami" if you're not sure of your username.

Once SSHFS has been installed and your user added to the fuse group you're nearly ready to mount the remote file system. Begin by making a directory. This directly will act as the mount point for the remote file system. Issue "sudo mkdir ~/sshfs" to make an sshfs directory in your user's home.

Finally we're ready to mount the remote file system. If you've been following along thus far and have setup authentication key pairs for your SSH server the following should be pretty seamless. Issue "sshfs -o idmap=user username@host: ~/sshfs". Replace username and host as appropriate. The colon (:) after the host specifies the location on the remote server to mount. For example, if permissions allowed, /var/www/ could be mounted. Leaving the location as colon (:) defaults to the user's home directory. Now navigate to ~/sshfs on your local system and behold the remote file system!

SSHFS on Windows

As Shannon demonstrates, ExpanDrive offers SSHFS for Windows. In addition ExpanDrive will mount virtual drives from Amazon S3 and even FTP. The software is $40 with a 30-day trial. It supports SSH public keys directly or with pageant.

Youtube Description (No HTML):

Continuing with SOCKS5, SSH, Public Key Pairs and fingerprints, Darren and Shannon use SSH to create a secure remotely mounted network filesystem with implementations in both Windows and Linux.

Using the SSHFS utility we're able to mount a remote filesystem. Since we already have a secure tunnel to our server over SSH, which we've been thus far using as a SOCKS5 proxy, we're now able to store files securely online with the same mechanism. Using FUSE, or File System in User Space, we're able to achieve this without the need to load kernel modules -- a process which would require superuser privileges.

If you're into Hak5 you'll love our new show by hosts Darren Kitchen and Shannon Morse. Check out http://www.revision3.com/haktip

Whether you're a beginner or a pro, http://www.revision3.com/haktip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more.

And let's not forget to mention that you can follow us on http://www.twitter.com/hak5 and http://www.facebook.com/technolust, http://revision3.com/hak5/follow to the show and get all your Hak5 goodies, including the infamous wifi-pineapple over at http://hakshop.com . If you have any questions or suggestions please feel free to contact us at feedback@hak5.org. ]]> http://Hak5.org/episodes/hak5-1111/feed 9 http://Hak5.org/episodes/hak5-1110 http://Hak5.org/episodes/hak5-1110#comments Thu, 26 Apr 2012 22:09:10 +0000 Darren Kitchen http://Hak5.org/?p=4760 ]]>

Continuing with Proxies, SOCKS5 and SSH, Darren and Shannon cover SSH Public Key Fingerprints, then build a free Windows SSH Server and configure Key Pairs for a Linux client.

Download HD Download MP4

SSH Public Key Fingerprints and known_hosts

Typical SSH Servers user 128-bit MD5 hashes as Public Key Fingerprints. These are used to verify the authenticity of a server. These key fingerprints are short sequences of bytes used to authenticate a much longer public key. Like we discussed last week regarding key pairs for user authentication, SSH servers have key pairs for server authentication.

On a Linux OpenSSH server for example these key pairs will be found in /etc/ssh/*key*. The public keys will be world readable while the private keys can only be read by a superuser.

On a Linux client for example the key fingerprints of remembered servers are stored in ~/.ssh/known_hosts. Since SSH version 4 the username and hostnames associated with these servers are hashed.

To remotely verify the key fingerprint of an SSH server

ssh-keyscan -t rsa,dsa REMOTEHOSTNAME > /tmp/ssh_host_rsa_dsa_key.pub
ssh-keygen -l -f /tmp/ssh_host_rsa_dsa_key.pub

Alternatively, on the remote server the key fingerprints can be found by:

cd /etc/ssh
ls *key*
cat ssh_host_key # this is the private key
# permission will be denied if not superuser
cat ssh_host_key.pub # this is the public key
ssh-keygen -lf ssh_host_rsa_key.pub
# field 1 = bit length of key
# field 2 = fingerprint of key
# field 3 = name of key

Setting up a Windows SSH Server with Bitvise (+ A few other software recommendations)

Setting up the SSH Server Windows Using BitVise WinSSHd

• Download BitVise

• Creating a server on laptop or pc at home...
• Auto config router (UPnP) - BAD!! No Universal Plug-n-Play
• Open Port to Any Computer
• Uncheck 'Allow Any Logon', Click add.
• Enter Username - Run 'whoami' from CMD to find out your username.
• Want to add account for a friend? Do a virtual account.

SSH Servers for Windows

FreeSSHd - http://www.freesshd.com/

• Nice but lacks advanced security controls. The server starts
  sessions with security in the context of the service itself, meaning
  since it needs to be run as administrator or system those are the
  privileges available to the users.

• Not open source so it can't be vetted, improved upon by the community
• Hasn't been updated since 2009
• Difficult to get working on Windows 7
• Free and easy to setup

Bitvise WinSSHD - http://www.bitvise.com/winsshd

• Free for non-commercial / personal use

• License costs $100, unlocks Active Directory feature for enterprises
• Easy to install and update, nice GUI
• Supports Active Directory, Kerberos or it's own user database
• Works fine in Windows 7
• Supports AES 128 and 256 bit encryption
• Not open source so it can't be vetted, improved upon by the community
• Can be configured to use Power Shell instead of CMD as the default
  shell for users

• Supports OpenSSH public key files
• Configure account and group permissions per IP and DNS
• Automation API, logging

OpenSSH for Windows - SSHWindows.sf.net

• Free, open source implementation of OpenSSH with Cygwin

• Hasn't been updated since 2004
• Enough said

Copssh - https://www.itefix.no/i2/copssh

• Package of portable OpenSSH for Cygwin

• GUI for administartion

KpyM SSH Server - http://www.kpym.com/2/kpym/index.htm

• Free, open source

• Uses Windows identification (Windows user accounts)
• Automated install and setup
• Nag screen. Single license is $35

Setting up Key Pair Authentication in Linux with OpenSSH

On the remote host:

mkdir .ssh
chmod 700 .ssh
cd .ssh

On the local host:

ssh-keygen -t rsa
scp ~/.ssh/id_rsa.pub user@host:.ssh/authorized_keys2

Back on the remote host:

ls -la authorized_keys2
chmod 600 authorized_keys2
exit

On the local host:

ssh user@host

Bonus: Transfer SSH public keys from one machine to another

Now that we've done it the long way, let's take a moment to appreciate a convenient shortcut -- ssh-copy-id.

ssh-keygen; ssh-copy-id user@host; ssh user@host

Download HD Download MP4

Before getting into public key crypto we should first take a moment to gather a basic understanding of the SSH-2 protocol layers. In a nutshell the three layers of SSH-2 are:

The first is the Transport Layer. This layer is responsible for handling key exchanges, the servers authenticity (server authentication), compression, encryption and re-keying (typically after 1 GB of traffic or 1 Hour have elapsed). We'll get into more detail on this next week when we focus on key fingerprints.

Second is the User Authentication Layer, which handles client authentication, or authentication of the user trying to log-in. This process is client driven, meaning that the connecting client chooses which method they would like to authenticate with. Accepted methods vary by server but typically these include:

• Password Authentication - we used this last week by interactively typing in our password at the prompt when logging in

• Public Key - this is the method we'll be using today and going forward
• Keyboard Interactive - a process that can be used for one-time-passwords.
• GSSAPI (Generic Security Services Application Programming Interface) - this is actually a library used by commercial vendors, usually to implement single-sign-on services in enterprises and integrating with existing security services such as NTLM or Kerberos.

Finally there is the Connection Layer. This layer defines the channels, or asymmetric communications supported by SSH, including:

• Shell Channel for Shells, SFTP, SCP
• Direct-TCP/IP Channel for Client-to-Server forwards
• Forwarded-TCP/IP Channel for Server-to-Client forwards

Understanding Public Key Cryptography

Authentication via Asymmetric Key Cryptography (aka Public Key Crypto) is the method for generating a key pair -- both public and private (aka secret) -- and publishing one or the other in order to initiate secure communication. In our example we'll be protecting our private key on the client while publishing the public key on the SSH server. With this setup anything encrypted with the public key can be decrypted with our own private key. The oversimplification of this is that the key pairs are linked mathmatically allowing for encryption with the public key and decryption with the private key. The idea is that it's impractical to figure out the private key based on only knowledge of the public key. This is the basis for SSL, PGP, GPG, Bitcoin and many other protocols.

SSH-2 supports at least two methods for Public Key authentication

• RSA Key Pairs, which are named after creators Rivest, Shamir and Adleman and published in 1978 is an algorithm based on the difficulty of factoring large integers. Again the oversimplification is that the public key is based on the product of two large primes (along with an aux value) and the private key is derived from prime factors used to create the public key.

• DSA Key Pairs, or Digital Signature Algorithm, have been a Federal Information Processing Standard since 1993. Originally pantented by former NSA employee David Kravitz this technology is now freely available for anyone to use worldwide.

Setting up a Linux OpenSSH Server
On a Debian based Linux machine setting up ssh can be as simple as issuing "sudo apt-get install ssh". In this segment Darren goes over some of the configuration lines you would find useful to modify in /etc/ssh/sshd_config.

AllowTcpForwarding yes
GatewayPorts       yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys
AllowUsers bob alice
PermitRootLogin no
Protocol 2
Port 222
LoginGraceTime 1m
ListenAddress
ClientAliveInterval 60
ClientAliveCountMax 0

Be sure to restart the SSH deamon after editing the configuration. stop ssh;start ssh;service ssh restart;/etc/init.d/ssh restart #one of these should do it! :)

SSH Key Authentication On Windows with Putty for a Linux Server

This'll create key pair- an authorization to log on to server for authentication. Begin by downloading the Putty KeyGen tool. Click Generate and move mouse to generate key pair, and save both. Now open the server via Putty.

On the server go ahead and create a user if you haven't already done so. Typically this is achieved using the "adduser username" then "passwd username" commands.

Now, while logged in as your user, make a directory called .ssh in the your home. For example "mkdir ~/.ssh"

You'll want to change the mode to 700 so that only you have access to it. In the world of Unix there are 3 levels of permissions for files and directories. The Owner, Groups and World (everyone). The first 10 characters are the file's attributes. The first character represents what type of file it is. If it's a dash (-) it's a regular file. A (d) represents a directory, and there are a few others for special stuff like symbolic links. The next 9 characters specify the Read (r), Write (w) and Execute (x) permissions for the file's Owner, Groups and World (everyone). Change the mode of the directory with "chmod 700 .ssh/" The "chmod" command stands for Change Mode and allows you to easily modify a file or directory's permissions. Chmod will accept an octal representation of the modes. We're not going to get into them all but in this case 700 changes the file to be Readable, Writeable and Executable by the file's Owner, and nothing else for any Groups and the World.

Next change to the newly created directory with "cd .ssh" and create a file called authorized_keys2 with the public key on one line saved in file. Add ""ssh-rsa "" to the beginning.

Finally you'll want to again change the mode of the file so that only you can read and write to it. In this case the command would be "chmod 600 authorized_key2".

Now back on the Windows machine ppen pageant.exe and select 'add key'. Add the private key created in the initial setup. Pageant works as a passphrase keeper. With Pageant in memory and your private key loaded go ahead and test your connection. Just as before login with putty being sure to include "username@" before the hostname in the connection dialog.

You should now login without a password needed! Hooray! ]]> http://Hak5.org/episodes/hak5-1109/feed 8 http://Hak5.org/episodes/hak5-1107 http://Hak5.org/episodes/hak5-1107#comments Wed, 04 Apr 2012 19:13:58 +0000 Jason http://Hak5.org/?p=4705 ]]>

This time on the show, automating interactive tasks in Linux, preventing your browser sessions from being tracked, graphical command line disk usage utilities, and pushing hex over TCP with Echo. All that and more this time on Hak5!

Download HD Download MP4

Empties Source Forge page at empty.sf.net describes the utility as one that provides an interface to execute and interact with processes under pseudo-terminal sessions. This is pretty cool because you can use it to program shell scripts which communicate with interactive programs like telnet, ftp or ssh.

And while TCL/Expect does the same thing, empty may be a better choice because it can be invoked directly from the shell, it doesn't require TCL, perl, python or any other language, it's super small and simple and has already been ported to most *nix flavors.

Installation is pretty simple, either download the source from empties website, untar it and ""make all install clean"", or grab it from your repo. In ubuntu that's apt-get install empty-expect

The cool thing about the way it works is that everything is based on files.

empty -f -i input.fifo -o output.fifo -p empty.pid -L empty.log ssh
root@localhost
empty -w -i output.fifo -o input.fifo continue 'yn'
empty -w -i output.fifo -o input.fifo assword 'lamepasswordn'
empty -w -i output.fifo -o input.fifo root@ 'topn'

Disconnect.me

With all the privacy issues we've been hearing about lately, (Facebook's always strange updates; Google's new policy, etc), it almost seems impossible to keep your private data private!

We always hear about those problems we face with third party advertisers, cookies, and social search results, but it seems like everyone gets all up in arms about it, but almost no one goes on the defense and stops it from happening. Sure, people like you and me know how to disable cookies and we've deleted our cache's and search results in Google but we still have to teach the masses how to do it as well.

We still have a friend in the world who cares by the name of Disconnect, a company that was founded by a couple of ex-Googlers, Brian Kennish and Austin Chau, with Casey Oppenheim.

So what are they doing? Well, Disconnect is working on making your private data private again by disabling sharing with third parties and soon customizing your ability to share with whom you want.

How does it work? Disconnect is a small add-on for your browser (for me, Chrome) that you can find in your browser's webstore. Disconnect works in the background, seemlessly blocking the collection of your searches, sites visited, etc from Google, Twitter, Facebook, Digg, and Yahoo. It'll even let you depersonalize searches on Google and Yahoo by blocking cookies while you're still logged in.

You can unblock services too, just by clicking on the icon, in case you want to play a game on facebook that requires it or you have trouble getting to certain services when they're blocked. They've been having some bugs with Google accounts not working right when blocked, but so far I haven't had any problems myself. But this extension does peak my interest as well as suspicions. Does it really block cookies and private data sharing? According to their privacy policy it does.

Hex over TCP with Echo and Netcat

Ever needed to send some hex in TCP form over to a port on an IP?
Well, you can do that with Echo and Netcat.