Michał Rola Blog

Let’s start with SSH. [1/4]


We all know SSH at least it’s basics for example to use with GitHub, etc. but what if we will think about SSH as a pipes or tubes connecting between networks, OS and tools. I was inspired by eBook The Cyber Plumber’s Handbook to get deep down into the subject and gain more understanding how can we use SSH to secure our connections. Also I get the idea not only go though book and do fancy stuff with SSH but also set up the environment using docker. I won’t be rewriting Handbook here, mostly I will be relay on knowledge from it and configuring whole environment running Kali system, image downloaded from official site and run on Virtual Machine – Virtual Box. We can also buy access to machines with exerciser prepared by author of Handbook. I’m sure I will do that after going through it.

In chapter I and II we can see Introductions and The Basics for requirements, conventions, some bash aliases and overview of the tools that will be used. Please read those chapters while they will help us setting and testing everything.

Chapter I The Basics describe tools and give some examples. I will try to use them on my first steps while creating local infrastructure similar to the image from book. First step would be to have Kali linux installed. Next steps would be to install docker and tools mentioned. Then we will go though chapters and learn something while building whole infrastructure.

Let’s create basic Dockerfile, for example:
┌──(kali㉿kali)-[~]
└─$ cat DockerFiles/centos/Dockerfile
FROM centos/systemd:latest

RUN yum update -y && yum -y install openssh openssh-server openssh-clients sudo initscripts

RUN ssh-keygen -q -N "" -t rsa -f /etc/ssh/ssh_host_rsa_key
RUN ssh-keygen -q -N "" -t rsa -f /root/.ssh/id_rsa
RUN adduser nemo
RUN mkdir /home/nemo/.ssh
RUN chmod 700 /home/nemo/.ssh
RUN chown nemo /home/nemo/.ssh/
RUN chgrp nemo /home/nemo/.ssh
RUN touch /home/nemo/.ssh/authorized_keys
RUN chmod 600 /home/nemo/.ssh/authorized_keys
RUN chown nemo /home/nemo/.ssh/authorized_keys
RUN chgrp nemo /home/nemo/.ssh/authorized_keys

EXPOSE 22

CMD ["/usr/sbin/sshd", "-D"]

We can now build image in docker:
$ docker build -t centos_ssh .

Check if image was created:
$ docker images

If image was created should have name centos_ssh we can run it
(I forget about -p 22:22 so we have to deal with random port but this is a good exercise about docker, but you can add it):
$ docker run -d -P --name centos_sshd_container centos_ssh:latest

Now when we typed docker ps we can see our JumpBox1 running as described in papers.
To get fully working JumpBox we should create user and copy public key from Kali to JumpBox1. Before that we also should know ip address and port number, to get ip address and port number:
$ docker inspect -f "{{ .NetworkSettings.IPAddress }}" centos_sshd_container 
> 172.17.0.3
$ docker inspect -f "{{ .NetworkSettings.Ports }}" centos_sshd_container
> map[22/tcp:[{0.0.0.0 49154}]]
We can see that ip address is 172.17.0.3 and port number 49154.

Let’s check if the port is open:
$ nmap 127.17.0.2 -sT -p 80,443,22,49154

Starting Nmap 7.92 ( https://nmap.org )
Nmap scan report for 127.17.0.3
Host is up (0.00013s latency).

PORT STATE SERVICE
22/tcp closed ssh
80/tcp closed http
443/tcp closed https
49154/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 13.12 seconds

If we have working system with open port for ssh, we should configure access for nemo by ssh in following steps:

  1. list docker and copy container id:
    $ docker ps
  2. get into docker:
    $ docker exec -it [container id] bash
  3. add user nemo:
    $ adduser nemo
  4. login as nemo:
    $ su nemo
  5. create .ssh catalog
    $ mkdir ~/.ssh
  6. Open new terminal and copy from Kali public ssh key and save in authorization_keys in our new docker container.
    Copy public key printed with:
    $ cat ~/.ssh/id_rsa.pub
  7. Paste it in docker container we created:
    $ echo 'ssh-rsa AAAAB3Nza***********************************CHGVpgpPciXrw== kali@kali' >> ~/.ssh/authorized_keys
  8. Change permissions for .ssh and authorized_keys
    $ chmod 600 ~/.ssh/authorized_keys
    $ chmod 700 ~/.ssh
  9. We can exit from nemo to root:
    $ exit
    and exit root to Kali:
    $ exit

Now from Kali terminal we should be able to ssh out JumpBox1 (it won’t work as we don’t have open default ssh port 22):
$ ssh [email protected]
or even better to pass port number
$ ssh -p 49154 [email protected]
if we face some issues we can debug with:
$ ssh -p 49154 -vvvA [email protected]

That’s it. We have now our first JumpBox1 running and connecting by ssh. we can go to next chapter.

Chapter 3 in the papers we can now make use of our docker created before. You will face some issues as I did and how I managed to fix them.

First connection will be little different from previous one and different from papers:
$ ssh -p 49154 [email protected] -L 127.0.0.1:2000:127.0.0.1:2222

SSH connection to our JUMPBOX1 from Kali with local port forward. Details you can read in papers. You should see:
Last login: *** *** ** 07:57:54 *** from gateway
[nemo@ec18ca747699 ~]$

If you have any issues connection you can add -v in the end of ssh command, you can add -vv for more details and -vvv is the last with all details you can get from connection, exp:
$ ssh -p 49154 [email protected] -L 127.0.0.1:2000:127.0.0.1:2222 -vvv

Let us check if we have open port 2000:
$ nsg 2000
nsg is an alias for netstat -nat | grep 2000, so if you didn’t managed to set aliases you can use full form. Results should be like this:
tcp 0 0 127.0.0.1:2000 0.0.0.0:* LISTEN

You can do the same command on JUMBOX1 side to check opened ports, remember to change grep 2000 to 2222 or remove grep to see all ports. Will explain later details.

It’s time to run Netcat chat. We will test our connection with simple chat.
We have running SSH connection with open local ports on first terminal, now we will run natcat server on JUMBOX1 with port 2222:
$ nc -nv -l 127.0.0.1 -p 2222

I face two issues, one that netcat is not available and I had to install it on Centos. First you have to open new terminal and login as root to docker with this command:

$ docker exec -it ec18 bash

Where ec18 is the container id from command docker ps.
When you will be in JUMPBOX1 as root you can install nmap an ncat (netcat, nc)

$ yum search netcat #serach for netcat
$ yum install nmap-ncat #found it as nmap-ncat
$ nmap --help #test if installed
$ nc --help #test if installed

When you install all of this you can exit from docker and go to the terminal where you are SSH as nemo in JUMPBOX1 and run command:
$ nc -nv -l 127.0.0.1 -p 2222

Server will start. You will go to Kali terminal and run:
$ nc 127.0.0.1 2000

Now you can type message that will be shown in JUMBOX1. The same as in papers.
I face issue here as I was disconnected after I was trying to type message. When run with -vvv on both sides I got error like this one between all logs. Kali nc client side:
$ nc 127.0.0.1 2000 -vvv
Connection to 127.0.0.1 2000 port [tcp/cisco-sccp] succeeded!
Hello

Connection dropped. Here’s nc server side:
$ nc -nv -l 127.0.0.1 -p 2222
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on 127.0.0.1:31337
channel 2: open failed: connect failed: Connection refused

Searching internet looking for issue you can find a lot of advice’s about miss-configurations, firewalls and so on. For us it should work as we have the same in our papers. You should remember that we create JUMPBOX1 as Centos by docker. We have information that Ubuntu 18.04 is used through tutorial. 

Going to manual of ncat https://nmap.org/ncat/guide/ncat-usage.html we can see that creating server we don’t need -p for port. So we remove it and run server again:
$ nc -nv -l 127.0.0.1 2222
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on 127.0.0.1:2222

You can notice that now we have running server on port 2222 not 31337 like before. That was the issue. I also used netstat when logged as root to JUMPBOX1 with docker. We can see wrong port open for nc:
docker exec -it ec18 bash
[root@ec18ca747699 /]# netstat -nat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:31337 0.0.0.0:* LISTEN

we can notice the proper port open:
$ docker exec -it ec18 bash
[root@ec18ca747699 /]# netstat -nat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2222 0.0.0.0:* LISTEN

I show you how I investigate issue step by step not only following answers from websites. We need to try to verify every suggestion we read on google and on any portal.

So that it. We have now tested and working SSH connection with local port forward. Let’s look at Netcat Shell.

Now we pass -e parameter to exec command
$ nc -nv -l 127.0.0.1 2222 -e /bin/bash

We go back to Kali and run:
$ nc 127.0.0.1 2000
cd ~
mkdir new

We can now go back to JUMPBOX1 nemo user and see that „new” was created:
$ nc -nv -l 127.0.0.1 2222 -e /bin/bash
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on 127.0.0.1:2222
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:44698.
[nemo@ec18ca747699 ~]$ ls
new

Please read usages of local port forwarding described in papers, we are moving on to the next chapter.

 

Sources:

The Cyber Plumber’s Handbook & License 

Let’s get in touch.

m

And make it together.

Contact me
LinkedIn