Johnermac
  • About me
  • Active Directory
    • PowerShell
      • Customize
      • Notes
      • ETW
      • AMSI Bypass
      • Obfuscation
    • Enumeration
      • Domain
      • GPO
      • ACL
      • Domain Trusts
      • Forest
      • Extra
      • BloodHound
      • BloodHound CE
  • Tunneling
    • Tools
      • Udp2Raw
      • Fraud Bridge
      • Chisel
      • SSF
      • Egress-Assess
      • Ligolo-ng
      • Sshutle
      • Rpivot
      • Tunna
      • reGeorg
      • Neo-reGeorg
      • PivotSuite
  • Post-Exploitation
    • Data Exfiltration
      • HTTP
        • Cancel
        • wget
        • bash
        • busybox
        • IRB
        • PHP
        • Ruby
      • ICMP
        • XXD
        • Ruby
        • Python
      • UDP
        • Netcat
      • TCP
        • Netcat
        • KSH
        • whois
        • Finger
      • HTTPS
        • Python
        • OpenSSL
  • BLOG
    • Articles
      • Pivoting for Red Teaming
Powered by GitBook
On this page
  • How to extract files
  • Opening a shell with SSF
  1. Tunneling
  2. Tools

SSF

Secure Socket Funneling - Network tool and toolkit - TCP and UDP port forwarding, SOCKS proxy, remote shell, standalone and cross platform.

PreviousChiselNextEgress-Assess

Last updated 1 year ago

Source 1: https://github.com/securesocketfunneling/ssf

Source 2: https://securesocketfunneling.github.io/ssf/#home

How to extract files

Opening a server on the Attacker machine.

  • The (-l) is the IP of the attacker - without this flag it will listen on 0.0.0.0

  • The default port (-p) is 8011

  • -D: the attacker (server) will act as the SOCKS server

  • -F: the target (client) will act as the SOCKS server

  • ./ssfcp can copy files through the tunnel

Opening a shell with SSF

  • -X: client opens a listening socket on the given port (10000)

  • -Y: client orders the server to open a listening socket on the given port (11000)

We can use just one of the options if we want:

  • The -X let us open a shell of the attacker on the target machine

  • The -Y let us open a shell of the target on our attacker machine

Use this options for Linux, Windows respectively to disable local echo:

stty -echo -icanon -isig min 1; nc 127.0.0.1 10000; stty echo icanon isig;
stty -isig; nc 127.0.0.1 10000; stty isig;

To use copy and shell options, you need to specify the config.json accordingly:

{
  "ssf": {
    "arguments": "",
    "circuit": [],
    "http_proxy": {
      "host": "",
      "port": "",
      "user_agent": "",
      "credentials": {
        "username": "",
        "password": "",
        "domain": "",
        "reuse_ntlm": true,
        "reuse_nego": true
      }
    },
    "socks_proxy": {
      "version": 5,
      "host": "",
      "port": "1080"
    },
    "tls" : {
      "ca_cert_path": "./certs/trusted/ca.crt",
      "cert_path": "./certs/certificate.crt",
      "key_path": "./certs/private.key",
      "key_password": "",
      "dh_path": "./certs/dh4096.pem",
      "cipher_alg": "DHE-RSA-AES256-GCM-SHA384"
    },
    "services": {
      "datagram_forwarder": { "enable": true },
      "datagram_listener": {
        "enable": true,
        "gateway_ports": false
      },
      "stream_forwarder": { "enable": true },
      "stream_listener": {
        "enable": true,
        "gateway_ports": false
      },
      "copy": { "enable": true },
      "shell": {
        "enable": true,
        "path": "/bin/bash",
        "args": ""
      },
      "socks": { "enable": true }
    }
  }
Opening the server on attacker
opening the client on the target
Copying the /etc/shadow file to the attacker
Wireshark Results
Opening a Server on attacker
Testing the option SHELL
because of the option -X
because of the option -Y
All the traffic goes through the tunneling