ssh cheat sheet

SSH 速查表

SSH有些特性在渗透和审计过程中很实用。该文章的目的就是，提醒我们记住最常用的特性。

注意:此文章并不能取代官网的手册页面，只是为了介绍一些SSH相关的例子。

SOCKS Proxy

-D [bind_address:]port
   Specifies a local “dynamic” application-level port forwarding.  This works by allocating a socket to listen to port on the local side, optionally
   bound to the specified bind_address.  Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the appli‐
   cation protocol is then used to determine where to connect to from the remote machine.  Currently the SOCKS4 and SOCKS5 protocols are supported, and
   ssh will act as a SOCKS server.  Only root can forward privileged ports.  Dynamic port forwardings can also be specified in the configuration file.

   IPv6 addresses can be specified by enclosing the address in square brackets.  Only the superuser can forward privileged ports.  By default, the local
   port is bound in accordance with the GatewayPorts setting.  However, an explicit bind_address may be used to bind the connection to a specific
   address.  The bind_address of “localhost” indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates that
   the port should be available from all interfaces.

本地(127.0.0.1：1080)开一个socks代理，通过代理可以将数据中转到远程主机(192.168.1.110)

命令:
ssh -D 127.0.0.1:1080 192.168.1.110

~/.ssh/config:
Host 192.168.1.110
DynamicForward 127.0.0.1:1080

使用tsocks或类似的工具，可访问192.168.1.110相关的网络资源。
tsocks rdesktop 192.168.1.111 3389

Local Forwarding

-L [bind_address:]port:host:hostport
   Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating
   a socket to listen to port on the local side, optionally bound to the specified bind_address.  Whenever a connection is made to this port, the con‐
   nection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine.  Port forwardings can also be
   specified in the configuration file.  IPv6 addresses can be specified by enclosing the address in square brackets.  Only the superuser can forward
   privileged ports.  By default, the local port is bound in accordance with the GatewayPorts setting.  However, an explicit bind_address may be used to
   bind the connection to a specific address.  The bind_address of “localhost” indicates that the listening port be bound for local use only, while an
   empty address or ‘*’ indicates that the port should be available from all interfaces.

让远程主机上的服务，能够访问本地主机监听的端口.

例子1：

远程主机TCP 1521端口对应的服务，可通过SSH客户端访问10521得到.
命令:
ssh -L 127.0.0.1:10521:127.0.0.1:1521 user@192.168.1.110

~/.ssh/config
LocalForward 127.0.0.1:10521 127.0.0.1:1521

例子2:

如果想要SSH客户端所在同一环境的主机，也可以访问该服务.
命令:
ssh -L 0.0.0.0:10521:127.0.0.1:1521 192.168.1.110

~/.ssh/config
LocalForward 0.0.0.0:10521 127.0.0.1:1521

例子3:

访问本地10521端口，可连至192.168.1.111:1521 192.168.1.110
命令:
ssh -L 127.0.0.1:10521:192.168.1.111:1521 192.168.1.110

~/.ssh/config
LocalForward 127.0.0.1:10521 192.168.1.111:1521

Remote Forwarding

-R [bind_address:]port:host:hostport
   Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. This works by allocating
   a socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel,
   and a connection is made to host port hostport from the local machine.

   Port forwardings can also be specified in the configuration file.  Privileged ports can be forwarded only when logging in as root on the remote
   machine.  IPv6 addresses can be specified by enclosing the address in square braces.

   By default, the listening socket on the server will be bound to the loopback interface only.  This may be overridden by specifying a bind_address.
   An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces.  Specifying a remote bind_address will
   only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)).

   If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported to the client at run time.  When used together
   with -O forward the allocated port will be printed to the standard output.

通过本地监听的端口，可访问远程服务.

例子1:

连接8000端口，可访问80端口对应的资源.
命令行:
ssh -R 127.0.0.1:8000:127.0.0.1:80 192.168.1.110

~/.ssh/config
RemoteForward 127.0.0.1:8000 127.0.0.1:80

例子2:

连接8000端口，可访问主机192.168.1.111的80端口对应的资源.
命令:
ssh -R 127.0.0.1:8000:192.168.1.111:80 192.168.1.110

~/.ssh/config
RemoteForward 127.0.0.1:8000 192.168.1.111:80

例子3:

命令:

ssh -R 0.0.0.0:8000:192.168.1.111:80 192.168.1.110  # we need a new port to 127.0.0.1:8080

ssh -L 4444:127.0.0.1:8080 192.168.1.110

~/.ssh/config
RemoteForward 0.0.0.0:8000 192.168.1.111:80

Configuration Files

~/.ssh/config

有时候使用配置文件~/.ssh/config会非常方便，这样可以避免每次都输入一长串的命令.使用其他SSH工具时(例如:scp和rsync)，配置文件会提供便利。

Host192.168.1.110

Port 2222

User ptm

ForwardX11 yes

DynamicForward127.0.0.1:1080

RemoteForward 80127.0.0.1:8000

LocalForward 1521192.168.1.111:1521

~/.ssh/authozied_keys

在渗和审计过程中，你可以在服务器上添加一个authorized_keys文件，这样你可以使用SSHkey文件登录。

生成公钥/私钥，方法如下:

ssh-keygen -f mykey

cat mykey.pub # youcan copy this to authorized_keys

ssh-keygen -f mykey-t rsa -b 768

cat mykey.pub # copyto authorized_key.

ssh -i mykeyuser@192.168.1.110

参考链接: http://pentestmonkey.net/cheat-sheet/ssh-cheat-sheet