Bypassing Authentication on SSH Bastion Hosts

    Date25 Oct 2019
    331
    Posted ByBrittany Day
    LS Hmepg 337x500 19

    For any red teamer, SSH bastions (hosts that can control access between environments) can be difficult to compromise due to the use of multi-factor authentication (MFA) technologies. In a typical scenario, you may end up on a user’s host that has access to the bastion thanks to phishing or exploiting a vulnerability with the compromised user’s permissions. Learn more about SSH multiplexing and its role in bypassing authentication on SSH bastion hosts:

    The normal course of action is to identify the privilege escalation vector in order to get root. This privilege escalation is not always a possibility, but using a method that takes advantage of an SSH feature called “multiplexing” can help with this pivoting.

    SSH multiplexing is the ability to send multiple SSH connections using a single pre-existing connection. This is used in environments to improve efficiency and reduce resource load. This isn’t a new feature: there’s a detailed write-up in the OpenSSH Cookbook about how it works; HD Moore & Valsmith presented on the topic at DEF CON back in 2007.

    The only major difference is that, today, SSH bastion hosts are heavily used in many production environments. These bastion servers will typically use a form of MFA that can be a major obstacle when attempting to pivot into sensitive areas of a network.

    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"39","type":"x","order":"1","pct":50.65,"resources":[]},{"id":"88","title":"Should be more technical","votes":"11","type":"x","order":"2","pct":14.29,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"27","type":"x","order":"3","pct":35.06,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.