All the previous steps were just to get us to here. We can now access the RIPT Server via SSH or VNC. We can use it as an HTTP Proxy for web application testing or as a SOCKS proxy for anything that supports such things, like database testing.
Let’s walk through a few of those activities.
Note: As in previous examples, these assume that you’re working with RIPT Server 01, adjust port numbers accordingly if working with other systems.
It doesn’t matter if you’ve accessed the RIPT Relay directly via SSH or through an SSL/TLS encapsulated tunnel. Here’s how to configure Putty to SSH to the RIPT Server.
Create a Session, we’ll call it RIPT01-SSH, with the following basic options. We connect to the locally forwarded port (11095) that connects to the SSH server running on the RIPT Server.
Host Name: email@example.com Port: 11095
It will require key authentication on the RIPT Server.
After making all of your changes remember to go back up to Session and click Save.
Once you’ve established a connection to RIPT01-tunnels-SS*, open RIPT01-SSH and you should be prompted to enter the passphrase for your private key. After entering it you should have a root prompt on the RIPT Server.
We previously defined our /.ssh/config file as:
Host RIPT* AddressFamily inet User ript-relay Port 22 IdentityFile /root/.ssh/ript_client ServerAliveInterval 10 LocalForward 11095 127.0.0.1:12095 LocalForward 11096 127.0.0.1:12096 LocalForward 11097 127.0.0.1:12097 LocalForward 11098 127.0.0.1:12098 Host RIPT-tunnels-SSH HostName riptscan.com StrictHostKeyChecking yes UserKnownHostsFile /root/.ssh/known_hosts Host RIPT-tunnels-SSL HostName localhost ProxyCommand /usr/bin/ncat --ssl-verify <FQDN of RIPT Relay> 443 NoHostAuthenticationForLocalhost yes
SSH with either the RIPT01-tunnels-SSH or the RIPT01-tunnels-SSL profile and then from the command line on your RIPT Client run the following.
ssh -i /ript_client -p 11095 root@localhost
As we’re running tightvnc on the RIPT Server it’s recommended to use the same client. By default, this is what’s installed on Ubuntu when ‘apt-get install vnc’ is run. The client is also available on Windows. We connect to the locally forwarded port (11096) that connects to the VNC server running on the RIPT Server.
Note: The first time you open the VNC client you’ll see an error message about “no session for PID ###” or something similar. This is a known issue and can safely be clicked through. It will not affect your experience.
So, we can now open a web browser from within the VNC session, point it to https://localhost:8834 and run Nessus once it’s been installed.
In this example we’ll use the Squid proxy on the RIPT Server to test an internal firewall admin page.
First we set our test framework (Burp Suite) to use our HTTP proxy on the RIPT Server. We connect to the locally forwarded port (11097) that connects to Squid running on the RIPT Server.
Burp Suite -> Upstream Proxy Servers
Burp Suite runs a local proxy to intercept traffic on port 8080 by default.
We can configure our our web browser to use Burp Suite’s connection to our RIPT Server’s Squid proxy.
We can now access an internal client firewall administration page from our RIPT Client and use Burp Suite running on our RIPT Client to test it.
To demonstrate the SOCKS proxy capability we’ll access a database running in the same environment as the RIPT Server from the RIPT Client.
First we need to define the SSH ‘client’ (SOCKS part 2) configuration and then establish that tunnel as it is the only one we do not autorun.
From our SSH config (this should look familiar).
Host client HostName localhost AddressFamily inet User root Port 22 IdentityFile /root/.ssh/ript-01.id_rsa LocalForward 9999 192.168.1.69:3306 ServerAliveInterval 10 ServerAliveCountMax 3 ExitOnForwardFailure yes NoHostAuthenticationForLocalhost yes
Create the tunnel to the database.
ssh -i /root/.ssh/ript-01.id_rsa client
This will likely fail with the following error message.
Permission denied (publickey).
This is because we’ve added the public key for the RIPT Server to the RIPT Relay, and the public key for the RIPT Client to both the RIPT Relay and the RIPT Server, but we haven’t added the RIPT Server’s public key to itself. Here we’re actually attempting to SSH to ourselves.
So let’s add it.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYLth9fKJYB9NU79L3OasBUOTVrnIRBgJH4VwVPhXs23xnpG4sYmDel3xoChglPvM50wgkWxm/JFcrW5DHi4ndkZBR8Wp6bSvEVkijIYejDdeJVfmmpChnJopGgPO5w+vDTgP5I1fjDQvocXscjPJdAqFEQKtWOoGd+SzpCfwG4wD/egHMZIchLjpkexuJpG9k2Q5cgqRd/CEAJ0QL8+4lqbYCqapw6zIBZiOHnv3WR3QXhSY1gvX1Isri1D7Oh8ZFI7jqv0cYteX2f1iDbfwN6YYqkkIA6BrkMBincC/FSZ/mpo8hlRRnIrcCHfYrSVc3bsuocesz/b/UJngVzCjV root@ript-01
Now try the connection again.
ssh -i /root/.ssh/ript-01.id_rsa client
You should be returned to a command prompt. You’re actually in a new shell. Going forward you’ll likely want to just create the tunnel and return (-NfT) or something similar.
Now on the RIPT Client we’ll use SquirrelSQL to connect to the remote database. We connect to the locally forwarded port (11098) that connects to the SOCKS proxy we setup on the RIPT Server.
And test the connection.
To get files to and from the RIPT Server you can command line it or Filezilla has the ability to use key authentication. Go to Edit -> Settings -> SFTP -> Add key file…
Once you have your tunnels established you can connect to the RIPT Server with the following settings.
Host: sftp://127.0.0.1 Username: root Password: <blank> Port: 11095
Note: Leaving the password blank will force the key authentication. You should be prompted for your passphrase and then logged in.
That’s all for now. Hope you enjoyed it! Some of the things I’m working on for future iterations include the cloning of RIPT Servers and the dockerization of RIPT Clients.
If I made any mistakes I’m sure I’ll hear about it, but if you have any cool/novel ideas I’d be interested in those as well. Leave a comment – I moderate them occasionally.