Some quick notes about using SSH. Setting up a simple tunnel allows you to reach things behind a firewall, but requires cooperation from the FW admin. Using a Man in the middle tunnel gets around this limitation.
Use this to create a tunnel between you and a remote machine. A port on the local computer will connect to a port on the remote.
Host pops Hostname pops.speedracer.net port 22 user speed LocalForward 5000 localhost:80
ssh -f -N -g -L 192.168.0.2:10000:192.168.1.2:161 [email protected]"
or to keep the tunnel alive, use autossh
autossh -N -f pops
Use this method to access remote computers behind a firewall and NAT device. The remote laptop opens a SSH connection to the firewall. Then, the tunnel forwards the ports to the internal computers.
Laptop -> (Internet) -> FW/NAT(pops.speedracer.net) -> trixie(internal, 192.168.1.1) -> inspector_detector(internal, 192.168.1.2)
- Run sshd on trixie
- Run web server on trixie and inspector_detector (example, could be any service and/or IP behind FW)
- Allow port 22 on the firewall
- Edit ~/.ssh/config on the laptop as follows:
Host pops Hostname pops.speedracer.net port 22 User speed LocalForward 3333 192.168.1.1:80 LocalForward 3334 192.168.1.2:80
Then, open a ssh session from the laptop to the remote end:
In a browser on the laptop, retrieve the remote web page:
On the client (local PC) enter the following command and take all the defaults.
cd ~/.ssh ssh-keygen
Add your identity locally
Copy the public key to the remote computer. Note, if this is the only computer authorized to connect, you may need to copy the file and concatenate the key to the existing authorized_keys file.
scp id_rsa.pub [email protected]:/home/user/.ssh/authorized_keys
SSH - Man in the middle tunnel
This allows you to use a man in the middle to circumvent a firewall, where the administrator won't poke any holes or configure port address translation. It requires the firewall allow outgoing connections. (Note - if port 22 isn't allowed, you can use a different port for the tunnel.) Here's a diagram.
trixie -> NAT -> INET -> racerX <- INET <- laptop
Goal: provide a way to reach trixie from the Internet. Trixie is located behand a NAT device and we don't control the NAT/FW.
Solution: Use SSH to set up a reverse shell.
Set up RacerX - the middle man
On racerX, the middleman, make sure the following is added to the /etc/ssh/sshd_config file:
TCPKeepAlive yes ClientAliveInterval 30 ClientAliveCountMax 99999 GatewayPorts yes
Make sure port 22 (or whatever racerX is listening on) is opened to the outside.
Set up Trixie - the ultimate target
On trixie, set up ssh to connect to the middle server (i.e. racerX). Use ssh-keygen on trixie. Copy the public key (id_rsa.pub) to racerX and add to /home/user/.ssh/authorized_keys on racerX. Then open a reverse shell by executing the following on trixie:
ssh -f -NR 3333:localhost:22 [email protected] -p 22 or edit and chmod 6000 /home/user/.ssh/config host tunnel Hostname racerX (or IP address) Port 22 RemoteForward 3333 localhost:22 -> links port 3333 to port 22 on the local host RemoteForward 3334 chim-chim:80 -> links port 3334 to port 80 (web) on another host behind the NAT device then: ssh -f -N tunnel
At this point, you should be able to test the reverse shell on racerX. Issue this command on racerX and you should get a username/password prompt on trixie. This basically starts a ssh session of the tunnel.
ssh localhost -p 3333
You will need a method of ensuring the reverse tunnel (ssh -f -N tunnel) stays active. (e.g. script in the crontab) If this tunnel (trixie->racerx) goes down, you won't be able to use it. Since trixie is behind the firewall, you won't have any way to manually restart the tunnel.
Set up the Laptop - using tunnel
Then on the laptop:
edit and chmod 6000 /home/user/.ssh/config host tunnel Hostname racerX (or IP address) Port 22 LocalForward 2022 racerX:3333 LocalForward 2080 racerX:3334 and ssh -f -N tunnel
This opens up the tunnel from the laptop to the middleman (racerX) and exposes ports 3333 and 3334 to your laptop. So now, on your laptop, you do the following:
ssh localhost -p 2022 -> connects you to trixie via ssh or use a web browser: http://localhost:2080/ -> gets a web page from chim-chim.
Putty and VNC
Create a standard putty session. Under SSH/Tunnels,add a tunnel. Source port 5901. Destination IP:5900. Press ADD.
Under VNC Viewer, connect to localhost:1.
ssh -f -L 5900:localhost:5900 [email protected] -p port x11vnc -safer -localhost -nopw -once -display :0 && sleep 5 && vncviewer localhost:0
Note, if the user is NOT logged in, then you have to do things in steps. I found the instructions here: https://help.ubuntu.com/community/VNC/Servers#Connecting_to_your_login_screen
First, open a terminal, then:
ssh IPADDRESS -l user -p PORT sudo x11vnc -safer -localhost -once -nopw -auth /var/lib/gdm/:0.Xauth -display :0
Second, open another terminal, then:
ssh -L 5900:localhost:5900 [email protected] -p PORT
Third, open another terminal, then:
To get x11vnc to work with mdm,
You have to store a password first:
x11vnc -storepassword /etc/x11vnc.pwd
Then add this line to the end of /etc/mdm/Init/Default. (before the exit command)
nohup x11vnc -repeat -auth /var/lib/mdm/:0.Xauth -shared -no6 -forever -nolookup -rfbauth '/etc/x11vnc.pwd' -o /var/log/x11vnc.log 2> /dev/null 1>&2 &
Note, you can run the x11vnc command in SSH, if it wasn't installed in the mdm file. Just like the in the sections above.
If something screws up, you can remotely log out a user running MATE like this:
DISPLAY=:0 mate-session-save --force-logout
This will logout the user, which executes the mdm script again - saving you from requiring a reboot of the remote computer.