How can you attack or redirect the client from the server over an RDP or SSH conneciton?



  • I have a penetration testing scenario where I am on the network with two machines, Machine A and Machine B. I have complete control over Machine B and am trying to leverage that to get access to Machine A. Machine A appears to be some variant of Linux (I pinged it and the response had a TTL value of 64, but I know this could be spoofed which is why it is only my guess), and Machine B is Ubuntu Linux.

    An nmap scan of Machine A found that port 443 was open and port 22 was filtered. I have drawn the conclusion that Machine A accepts SSH connections via port 22, but behind some rule or firewall.

    Machine A acts as a bastion, so the web application on port 443 (which I have already tested for vulnerabilities and found none) lets authenticated users have an interactive RDP or SSH session with machines on the network, from the context of Machine A. So I can log into the web application that Machine A is hosting and connect via a browser over to Machine B via RDP or SSH.

    Because I have full control over Machine B and can get Machine A to connect to it, what RDP or SSH attacks are there that I can leverage? I am thinking primarily of whether or not there's a way to have Machine B make Machine A redirect the session to localhost, which would mean Machine A would connect back to itself over SSH in a session I can interact with.

    Note: I am aware of SSH reverse tunneling, but that requires special configuration on Machine A's side when the connection is established, and I don't have access to that.



  • It is not possible to directly attack the client from the server in that way, but here's what I managed to do, in case anyone else finds it helpful. I used ARP poisoning to make the IP address of Machine B point to the MAC address of Machine A. That way, when I logged on to the web interface and connected to Machine B, it actually resolved to Machine A.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2