All the previous steps were just to get us to here. We can now access the Dropbox Server via SSH or VNC. We can use it as an HTTP Proxy for web application testing or as a SOCKS proxy for anything that supports such things, like database testing.
Let’s walk through a few of those activities.
Note: As in previous examples, these assume that you’re working with Dropbox Server 01, adjust port numbers accordingly if working with other systems.
It doesn’t matter if you’ve accessed the Dropbox Relay directly via SSH or through an SSL/TLS encapsulated tunnel. Here’s how to configure Putty to SSH to the Dropbox Server.
Create a Session, we’ll call it DBOX01-SSH, with the following basic options. We connect to the locally forwarded port (11095) that connects to the SSH server running on the Dropbox Server.
Host Name: email@example.com Port: 11095
It will require key authentication on the Dropbox Server.
After making all of your changes remember to go back up to Session and click Save.
Once you’ve established a connection to DBOX01-tunnels-SS*, open DBOX01-SSH and you should be prompted to enter the passphrase for your private key. After entering it you should have a root prompt on the Dropbox Server.
We previously defined our /.ssh/config file as:
Host DBOX* AddressFamily inet User dbox-relay Port 22 IdentityFile /root/.ssh/dbox_client ServerAliveInterval 10 LocalForward 11095 127.0.0.1:12095 LocalForward 11096 127.0.0.1:12096 LocalForward 11097 127.0.0.1:12097 LocalForward 11098 127.0.0.1:12098 Host DBOX-tunnels-SSH HostName <FQDN of Drobox Relay> StrictHostKeyChecking yes UserKnownHostsFile /root/.ssh/known_hosts Host DBOX-tunnels-SSL HostName localhost ProxyCommand /usr/bin/ncat --ssl-verify <FQDN of Dropbox Relay> 443 NoHostAuthenticationForLocalhost yes
SSH with either the DBOX01-tunnels-SSH or the DBOX01-tunnels-SSL profile and then from the command line on your Dropbox Client run the following.
ssh -i /dbox_client -p 11095 root@localhost
As we’re running tightvnc on the Dropbox Server it’s recommended to use the same client. By default, this is what’s installed on Ubuntu when ‘apt-get install vnc’ is run. The client is also available on Windows. We connect to the locally forwarded port (11096) that connects to the VNC server running on the Dropbox Server.
Note: The first time you open the VNC client you’ll see an error message about “no session for PID ###” or something similar. This is a known issue and can safely be clicked through. It will not affect your experience.
So, we can now open a web browser from within the VNC session, point it to https://localhost:8834 and run Nessus once it’s been installed.
In this example we’ll use the Squid proxy on the Dropbox Server to test an internal firewall admin page.
First we set our test framework (Burp Suite) to use our HTTP proxy on the Dropbox Server. We connect to the locally forwarded port (11097) that connects to Squid running on the Dropbox Server.
Burp Suite -> Upstream Proxy Servers
Burp Suite runs a local proxy to intercept traffic on port 8080 by default.
We can configure our our web browser to use Burp Suite’s connection to our Dropbox Server’s Squid proxy.
We can now access an internal client firewall administration page from our Dropbox Client and use Burp Suite running on our Dropbox Client to test it.
To demonstrate the SOCKS proxy capability we’ll access a database running in the same environment as the Dropbox Server from the Dropbox Client.
First we need to define the SSH ‘client’ (SOCKS part 2) configuration and then establish that tunnel as it is the only one we do not autorun.
From our SSH config (this should look familiar).
Host client HostName localhost AddressFamily inet User root Port 22 IdentityFile /root/.ssh/dbox-01.id_rsa LocalForward 9999 192.168.1.69:3306 ServerAliveInterval 10 ServerAliveCountMax 3 ExitOnForwardFailure yes NoHostAuthenticationForLocalhost yes
Create the tunnel to the database.
ssh -i /root/.ssh/dbox-01.id_rsa client
This will likely fail with the following error message.
Permission denied (publickey).
This is because we’ve added the public key for the Dropbox Server to the Dropbox Relay, and the public key for the Dropbox Client to both the Dropbox Relay and the Dropbox Server, but we haven’t added the Dropbox Server’s public key to itself. Here we’re actually attempting to SSH to ourselves.
So let’s add it.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYLth9fKJYB9NU79L3OasBUOTVrnIRBgJH4VwVPhXs23xnpG4sYmDel3xoChglPvM50wgkWxm/JFcrW5DHi4ndkZBR8Wp6bSvEVkijIYejDdeJVfmmpChnJopGgPO5w+vDTgP5I1fjDQvocXscjPJdAqFEQKtWOoGd+SzpCfwG4wD/egHMZIchLjpkexuJpG9k2Q5cgqRd/CEAJ0QL8+4lqbYCqapw6zIBZiOHnv3WR3QXhSY1gvX1Isri1D7Oh8ZFI7jqv0cYteX2f1iDbfwN6YYqkkIA6BrkMBincC/FSZ/mpo8hlRRnIrcCHfYrSVc3bsuocesz/b/UJngVzCjV root@dbox-01
Now try the connection again.
ssh -i /root/.ssh/dbox-01.id_rsa client
You should be returned to a command prompt. You’re actually in a new shell. Going forward you’ll likely want to just create the tunnel and return (-NfT) or something similar.
Now on the Dropbox Client we’ll use SquirrelSQL to connect to the remote database. We connect to the locally forwarded port (11098) that connects to the SOCKS proxy we setup on the Dropbox Server.
And test the connection.
To get files to and from the Dropbox Server you can command line it or Filezilla has the ability to use key authentication. Go to Edit -> Settings -> SFTP -> Add key file…
Once you have your tunnels established you can connect to the Dropbox Server with the following settings.
Host: sftp://127.0.0.1 Username: root Password: <blank> Port: 11095
Note: Leaving the password blank will force the key authentication. You should be prompted for your passphrase and then logged in.
That’s all for now. Hope you enjoyed it! Some of the things I’m working on for future iterations include the cloning of Dropbox Servers and the dockerization of Dropbox Clients.
If I made any mistakes I’m sure I’ll hear about it, but if you have any cool/novel ideas I’d be interested in those as well. Leave a comment – I moderate them occasionally.