Antisyphon KB

SSH

Nov 04, 20243 min read

Tips and Tricks for A Better Life Through SSH

Escaping Dead SSH Sessions

If you ever find yourself looking at an inactive or dead SSH session, don’t panic. Getting out is easy.

Unfreeze Your Terminal

Make sure your SSH session is actually before killing it. If you mistakenly bump Ctrl+s, be aware that terminal output will be frozen. Your input will still be going to the terminal, but it won’t be refreshing the screen as you type.

Press Ctrl+q to unfreeze a frozen terminal.

Kill The Session

When you’re sure your SSH session is fully inoperable, either because an IP address changed in Nexus or the server you’re connected to dies, you can send a magic string to force kill the session.

Before doing anything else, strike return. This will ensure that your input buffer is clear, which is a requirement.

With a clear input buffer, type ~.

Congrats, your SSH session should be dead. Be advised if you nest SSH sessions, this will kill all sessions recursively, not just the innermost SSH session.

Other Things In The Same Place

Type ~? to see other “escape sequences” like ~C for “open a command line” which lets you create and delete port forwards in the current session. For example, -D9000 would create a dynamic port forward on localhost:9000, and -KD9000 would kill it.

Using ssh config Instead of Memorizing ssh CLI Syntax

Where

In ~/.ssh/config See also: https://www.ssh.com/academy/ssh/config

What

A stanza like this one:

Host customer cust client
  hostname 10.10.10.10
  user root
  port 8415
  IdentityFile ~/.ssh/id_ecdsa
  DynamicForward 9000
  LocalForward 3390 10.10.10.55:3389

With that in place, you can do ssh cust or ssh customer or ssh client and you’ll get a connection as root to 10.10.10.10 on port 8415, authenticating with the key in ~/.ssh/id_ecdsa.

The DynamicForward line gives you a local SOCKS proxy on 127.0.0.1:9000 that comes out from 10.10.10.10. Set any HTTP client to use localhost:9000 and you can browse as though you were sitting at the 10.10.10.10 system. Even https://127.0.0.1:8834 will get you to Nessus on that host, (if Nessus is running, obvs).

The LocalForward line lets you use mstsc.exe (or whatever) to connect to 127.0.0.1:3390 and have that hit the Remote Desktop listener on 10.10.10.55:3389 on the network where your implant is running. Note that mstsc.exe will not allow you to connect to localhost:3389, so … pick something else.

Furthermore…

If you set IdentityFile (or port or DynamicForward or any of the variables) outside any Host stanza, you are setting the default value for that variable.

The indenting whitespace under the Host line is for readability only. This isn’t Python for cryin’ out loud.

Graph View

Backlinks