Bypassing Authentication on SSH Bastion Hosts

For any red teamer, SSH bastions (hosts that can control access between environments) can be difficult to compromise due to the use of multi-factor authentication (MFA) technologies. In a typical scenario, you may end up on a user’s host that has access to the bastion thanks to phishing or exploiting a vulnerability with the compromised user’s permissions. Learn more about SSH multiplexing and its role in bypassing authentication on SSH bastion hosts:

The normal course of action is to identify the privilege escalation vector in order to get root. This privilege escalation is not always a possibility, but using a method that takes advantage of an SSH feature called “multiplexing” can help with this pivoting.

SSH multiplexing is the ability to send multiple SSH connections using a single pre-existing connection. This is used in environments to improve efficiency and reduce resource load. This isn’t a new feature: there’s a detailed write-up in theOpenSSH Cookbookabout how it works; HD Moore & Valsmithpresented on the topicat DEF CON back in 2007.

The only major difference is that, today, SSH bastion hosts are heavily used in many production environments. These bastion servers will typically use a form of MFA that can be a major obstacle when attempting to pivot into sensitive areas of a network.

The link for this article located at NCC Group is no longer available.