Scanning ports through SSH Port Forwarding

In one of the latest penetration tests we faced a SSH server that was based in Maverick SSHTOOLS.

The funny thing is that this server was implemented by copy & pasting the example from the web, which had the Port forwarding feature enabled.

After running a bruteforce attack, we found that the admin account had the "admin" password (strong password policy btw), but when we tried to login there was no shell,  the server echoed everything we typed. So we went for the Port forwarding option, we forwarded some ports to interesting services like Terminal Server in the same machine and it worked, so then we though that would be great to be able to scan the internal network through this port forwarding feature, and that´s how we came up with this SSHscan tool.

SSHscan.py will allow you to scan a internal network through a SSH with port forwarding enabled. The tool allows to create a port forward in localhost for every open port detected in the internal network range.

This tool is not one that can be used in every engagement but when you have the opportunity and the need it will came handy.

The tool has been included in the edgeSSH kit, where we will include all the scripts related with SSH, at the moment only bruteSSH, a SSH login bruteforcer and scanSSH are included in the kit.

You can download the code here://code.google.com/p/edgessh

Command line options:

       -h: target host
       -u: username
       -p: password
       -l: targets lists to scan
       -t: threads
       --remote-host: host to scan
       --remote-ports: port list to scan
       --default-ports: scan default ports
       --all-ports: scan all 65535 ports
       --keep-tunnels: Forward all open ports

Examples:

    scanssh.py -h 192.168.1.55 -u root -p passowrd -t list.txt
    scanssh.py -h 192.168.1.55 -u root -p password --remote-host 127.0.0.1 --remote-ports 80,443
    scanssh.py -h 192.168.1.55 -u root -p password --remote-host 127.0.0.1 --default-ports

Enjoy Edge-Security