Road to OSCP Part 2: Configuring a remotely accessible password cracking machine without editing your router forwarding settings (reverse tunneling via a public IP)

Previously, we have covered reverse SSH tunneling on a compromised Windows machine to a proxy server with a public IP address that we own in order to reach the Remote Desktop Protocol Port.

In this article, we will convert a Windows 10 Gaming Laptop with a NVidia GTX 1050 Ti into a remotely accessible password cracker via a PERSISTENT reverse SSH tunnel to a VPS that we own.

Reachable with a public IP.

Now you have many choices of VPS Infrastructure as a Service providers that you can choose from,

  1. Amazon Web Services EC2 Cloud
  2. DigitalOcean Droplets
  3. Linode
  4. Vultr
  5. Rackspace
  6. Google Compute

But overall, the point is that we need a public IP address to act as a reverse proxy to the machine that we want to RDP login to.

It’s up to you on which one you choose. But I personally am migrating from Amazon AWS over to Vultr due to better pricing for my uses. Since I don’t need a full-blown Kali Linux mega-server running 24/7 and being charged by the hour.

But be sure to sign up for one of these services first and spin up a Linux installation of your choice, either Kali, Debian, or Ubuntu.

Follow this guide to enable RDP on Windows 10

https://www.groovypost.com/howto/setup-use-remote-desktop-windows-10/ but uncheck the Allow connections only from computers running Remote Desktop with Network-level Authentication because the rdesktop command is not compatible with Windows’ newer SSP/Kerberos authentication.

Now install the OpenSSH library and Windows Linux Subsystem by following these guides.

https://www.howtogeek.com/336775/how-to-enable-and-use-windows-10s-built-in-ssh-commands/

https://www.onmsft.com/how-to/how-to-install-windows-10s-linux-subsystem-on-your-pc

The latter will give you access to the bourne-again shell which gives you useful commands such as grep, sort, uniq, cat, and for-loop operations as well as being able to still run Windows executables.

Now configure your remote VPS with a public IP for root level logins, which is required for the creation of SSH tunnels.

First, edit the file

nano /etc/ssh/sshd_config

Then change it all to this configuration

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
PermitRootLogin yes
PasswordAuthentication yes
ClientAliveInterval 180
UseDNS no

And give a password for root

passwd root

Now from the Windows powershell Administrator command-line

ssh -Nf root@<proxyserverip> -R 443:127.0.0.1:3389

-Nf tells the ssh client to run in the background and keep the connection open

-R states a reverse bind port to be bound to the public proxy server

The statement 443:127.0.0.1:3389 remotely binds to the proxy server, port 443 to your gaming laptop at port 3389

Login to your proxyserver and setup socat to forward port 80 (run as root) to localhost:443

socat TCP4-L:80,reuseaddr,fork TCP4:127.0.0.1:443

Without having a root socat session reverse-proxying to the bound port on 443, you would not be able to rdesktop remotely by your VPS’s public IP (only locally by using VNC to access the proxy server’s GUI). You can further secure this connection from onlookers scanning for vulnerable hosts by requiring certificate authentication, further concealing the open port’s actual intents (which is supposed to look like a anonymous webserver).

Now, from your Kali Linux machine, login to it through your publicly accessible proxyserver

rdesktop <public proxyserver ip>:80 -f

Now install your required NVidia drivers and download and install the hashcat binaries and you are done

https://hashcat.net/hashcat/

You’re Done!

Enjoy your remotely accessible cracking machine WITHOUT having to rent a expensive Amazon AWS P2 GPU Instance by putting your old gaming laptop to work and paying minimal cost with a publicly reachable reverse proxy server

Screenshot from 2019-06-12 18-31-28

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s