Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.
root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460
root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh [email protected]
user@internal:~$ hostname -f
internal.company.tldThis post explains it well and details the safer ssh -J alternative.
That's also a great one, @0xdade! Thanks for the share. I guess while we're at it, haha...
Kerberos authentication can also be leveraged for lateral movement, often with SSH. The KRB5CCNAME environment variable can be set to the path of a user's credentials (ticket) cache, usually in /tmp. klist(1) can be used to view the cache.
Thank you, this is cool stuff.
There are quite a few operations defined in the agent-forwarding spec.
A particularly interesting one is using the agent to perform private key signing operations, without having access to the key itself.
Here is a simple POC that shows this in action
Wish I could react to gist comments. Thanks for the contribution!
@dandare100 TIL! Thank you for sharing that.
cool runnings
Slightly tangential, but related to abusing ssh configurations for lateral movement:
Look for
ControlMaster autoandControlPathin ssh config files. You can use the ControlPath to find control sockets that are currently open to remote servers, then ssh to that same remote server, usually without having to reauthenticate or go through 2FA.The down side to this is that you're multiplexed using the first connection, so if the first connection gets terminated then your connection also goes down. So maybe have something handy to be ready to drop backup keys (
~/.ssh/authorized_keys2is often still a valid keys file and not usually clobbered by host configuration tools like chef/puppet/salt/etc) or otherwise establish persistence once you ride-along.