Tag: ssh

SSH Client as a Quick and Dirty Port Scanner

by on Jul.22, 2022, under Posts

Since the ssh client is pretty ubiquitous and has been included with Windows 10 installations for the past couple years, I’ve discovered it can be a useful tcp port scanner if you use the verbose flag:

For Windows:

ssh -p 80 google.com -v 2>&1 | findstr Connect

ssh -p 80 -o ConnectTimeout=1 www.google.com -v 2>&1 | findstr Connect
debug1: Connecting to www.google.com [142.250.191.228] port 80.
debug1: Connection established.
kex_exchange_identification: Connection closed by remote host

As for your *nix systems, just use grep instead of findstr. I hope someone else finds this useful!

 

Leave a Comment :, , , , , , , , more...

abuseipdb.com – ip list

by on Nov.04, 2019, under Blacklists, Posts

Here is a list of known ‘malicious’ IPs from abuseipdb.com. It is updated daily. It’s in a list/plaintext format that should be easy to integrate.

http://zitstif.com/badips.txt

http://zitstif.no-ip.org/badips.txt

Sha256sum:

http://zitstif.com/badipsHash.txt

http://zitstif.no-ip.org/badipsHash.txt

#Update 11/10/2019

Here are a list of offending IPs that have targeted my honeypot I have setup. This will be updated daily as well:

http://zitstif.com/badIpsHoney.txt

http://zitstif.no-ip.org/badIpsHoney.txt

Sha256sum:

http://zitstif.com/badIpsHoneyHash.txt

http://zitstif.no-ip.org/badIpsHoneyHash.txt

#Update 11/13/2019

Here’s another list of IPs that have offended the WAF I use:

http://zitstif.com/WAFips.txt

http://zitstif.no-ip.org/WAFips.txt

Sha256sum:

http://zitstif.com/WAFipsHash.txt

http://zitstif.no-ip.org/WAFipsHash.txt

#Update 11/20/2019

Here’s a great post that has a bunch of lists that can be used:

https://docs.danami.com/juggernaut/user-guide/ip-block-lists

#Update 11/26/2019

Another great resource:

http://www.covert.io/threat-intelligence/

#Update 11/30/2019

Here’s another list of IPs from abuse.ch:

http://zitstif.com/abuseChlist.txt

http://zitstif.no-ip.org/abuseChlist.txt

Sha256sum:

http://zitstif.com/abuseCHhash.txt

http://zitstif.no-ip.org/abuseCHhash.txt

#Update 12/2/2019

Black Hat Direcory – Wall of shame list:

http://zitstif.com/BlackHatDirlist.txt

http://zitstif.no-ip.org/BlackHatDirlist.txt

Sha256sum:

http://zitstif.com/BlackHatDirhash.txt

http://zitstif.no-ip.org/BlackHatDirhash.txt

#Update 10/25/2020

Scamalytics Ips

http://zitstif.com/scamIps.txt

http://zitstif.no-ip.org/scamIps.txt

Sha256sum:

http://zitstif.com/scamIpshash.txt

http://zitstif.no-ip.org/scamIpshash.txt

#Update 07/17/2022

http://zitstif.com/crowdsecips.txt

http://zitstif.no-ip.org/crowdsecips.txt

Sha256sum:

http://zitstif.com/crowdsecipsHash.txt

http://zitstif.no-ip.org/crowdsecipsHash.txt

#Update 01/25/2023

http://zitstif.com/zitSSH_honey.txt

http://zitstif.no-ip.org/zitSSH_honey.txt

Sha256sum:

http://zitstif.com/zitSSH_honey_hash.txt

http://zitstif.no-ip.org/zitSSH_honey_hash.txt

#Update 3/12/2023

http://zitstif.com/zitSSH_honey2.txt

http://zitstif.no-ip.org/zitSSH_honey2.txt

Sha256sum:

http://zitstif.com/zitSSH_honey_hash2.txt

http://zitstif.no-ip.org/zitSSH_honey_hash2.txt

 

 

 

Leave a Comment :, , , , , , , , , , , , , more...

Quick and dirty NAT/Firewall bypass using SSH and ngrok

by on Jun.13, 2018, under Posts

If you have a system that is behind a router/gateway/firewall device that you cannot poke holes in and you want to expose your system to the WAN, I recommend you check out ngrok. You can make a free account, download, and use the tool for free as well (with some limitations).

Once you have followed the simple instructions here, you can then put the ngrok executable into your $PATH (or %PATH%).  Provided if you have ssh listening on port 22 on your system that you’re trying to expose to the WAN, you can then simply run the following command: ngrok tcp 22. The output might look something like this:

Version 2.2.8
Region United States (us)
Web Interface http://127.0.0.1:4040
Forwarding tcp://0.tcp.ngrok.io:15551 -> localhost:22

Connections ttl opn rt1 rt5 p50 p90
0 0 0.00 0.00 0.00 0.0

The beautiful thing about this is that you can see forwarding location by logging into your ngrok.com account and going to status. So this means you could script ngrok (via rc.local, shell:startup, crontab, etc…) to connect out on a regular basis and find the new forwarding location by going to your status page on ngrok.com. The port from my experience is dynamic and changes, but interestingly enough you have to remember to be careful, I was able to find other ssh servers and open ports by scanning  port ranges on 0.tcp.ngrok.io.

Want to access the internal network using a browser? No problem! In this instance you would simply do: ssh -D 8000 username@0.tcp.ngrok.io -p 15551 and then set your browser to use your socks5 proxy on 127.0.0.1 8000.

There are other similar services like like portmap.io and openport.io, but so far I like ngrok the best.

 

 

Leave a Comment :, , , , , , , more...

Time to rejoice! OpenSSH official support coming to Windows!

by on Jun.03, 2015, under Posts

http://undeadly.org/cgi?action=article&sid=20150603090420&mode=expanded

Granted you can already install cygwin and setup an openssh server (which is a pain), according to multiple sources OpenSSH will be supported by the Microsoft Powershell team. It is honestly about time, because if you’ve ever had to work with Windows Server Core edition, you may have felt like me and thought it was stupid that you would have to RDP into a system for command line access.

I have a strong gut feeling that the Metasploit community (who already seem to love Powershell for AV evasion) are going to have a lot of fun with a Microsoft OS builtin OpenSSH package that may even be able to be installed via the new package manager(?).

What do you guys, gals and bots think?

Leave a Comment :, , , , , , , more...

Getting authy-ssh to work (or at least what worked for me)

by on Dec.14, 2013, under Uncategorized

This will be a relatively short post. It is my objective for this post to be useful for other individuals who are having issues setting up authy-ssh on their Secure Shell servers. First, if you’re not familiar with two-step verification, have a look at this:

https://en.wikipedia.org/wiki/Two-step_verification

I was inspired to install this on one of my SSH servers due to enabling this feature on my Gmail account:

http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

I had heard about authy-ssh a while back through news.ycombinator but had never put the time into setting it up. To set it up you can follow these directions:

https://www.authy.com/products/ssh#installation

I ran into issues though. My SSH server did not possess ‘seq’ and I received error messages from the authy-ssh script that were not very clear. I then dug into the authy-ssh shell script and discovered that it heavily depended on ‘curl’ connecting to Authy’s web servers over https. ‘curl’ would give me SSL certificate errors and I’m highly confident this is an issue with ‘curl’ on my server and not Authy’s SSL certificates. To bypass this issue in the authy-ssh script at lines 398, 482, 497, 533, and 605 you will need to add on the ‘-k’ flag to ‘curl’ to ignore the SSL certificate errors. I will warn you that this is NOT very secure but if you need authy to work, this should work.

In addition to this, you may want to run this shell script as well:

http://zitstif.no-ip.org/authyfix.txt

The authy-ssh bash shell script does a check to see if bash exists or if seq exists. If you’re on an OSX system, the OSX equivalent of ‘seq’ is ‘jot’. The equivalent of ‘seq 10’ with ‘jot’ is ‘jot – 1 10’.

Leave a Comment :, , , , , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!