SSF

Secure Socket Funneling - Network tool and toolkit - TCP and UDP port forwarding, SOCKS proxy, remote shell, standalone and cross platform.

Source 1: https://github.com/securesocketfunneling/ssf

Source 2: https://securesocketfunneling.github.io/ssf/#home

How to extract files

Opening a server on the Attacker machine.

• The (-l) is the IP of the attacker - without this flag it will listen on 0.0.0.0

• The default port (-p) is 8011

Opening the server on attacker

• -D: the attacker (server) will act as the SOCKS server

• -F: the target (client) will act as the SOCKS server

opening the client on the target

• ./ssfcp can copy files through the tunnel

Copying the /etc/shadow file to the attacker

Wireshark Results

Opening a shell with SSF

Opening a Server on attacker

• -X: client opens a listening socket on the given port (10000)

• -Y: client orders the server to open a listening socket on the given port (11000)

Testing the option SHELL

We can use just one of the options if we want:

• The -X let us open a shell of the attacker on the target machine

• The -Y let us open a shell of the target on our attacker machine

Use this options for Linux, Windows respectively to disable local echo:

stty -echo -icanon -isig min 1; nc 127.0.0.1 10000; stty echo icanon isig;

stty -isig; nc 127.0.0.1 10000; stty isig;

because of the option -X

because of the option -Y

All the traffic goes through the tunneling

To use copy and shell options, you need to specify the config.json accordingly:

{
  "ssf": {
    "arguments": "",
    "circuit": [],
    "http_proxy": {
      "host": "",
      "port": "",
      "user_agent": "",
      "credentials": {
        "username": "",
        "password": "",
        "domain": "",
        "reuse_ntlm": true,
        "reuse_nego": true
      }
    },
    "socks_proxy": {
      "version": 5,
      "host": "",
      "port": "1080"
    },
    "tls" : {
      "ca_cert_path": "./certs/trusted/ca.crt",
      "cert_path": "./certs/certificate.crt",
      "key_path": "./certs/private.key",
      "key_password": "",
      "dh_path": "./certs/dh4096.pem",
      "cipher_alg": "DHE-RSA-AES256-GCM-SHA384"
    },
    "services": {
      "datagram_forwarder": { "enable": true },
      "datagram_listener": {
        "enable": true,
        "gateway_ports": false
      },
      "stream_forwarder": { "enable": true },
      "stream_listener": {
        "enable": true,
        "gateway_ports": false
      },
      "copy": { "enable": true },
      "shell": {
        "enable": true,
        "path": "/bin/bash",
        "args": ""
      },
      "socks": { "enable": true }
    }
  }