RIPT 20 – RIPT Client (SSH/VNC/HTTP Proxy/SOCKS Proxy)

All the previous steps were just to get us to here. We can now access the RIPT Server via SSH or VNC. We can use it as an HTTP Proxy for web application testing or as a SOCKS proxy for anything that supports such things, like database testing.

Let’s walk through a few of those activities.

Note: As in previous examples, these assume that you’re working with RIPT Server 01, adjust port numbers accordingly if working with other systems.

SSH (Windows)

It doesn’t matter if you’ve accessed the RIPT Relay directly via SSH or through an SSL/TLS encapsulated tunnel. Here’s how to configure Putty to SSH to the RIPT Server.

Create a Session, we’ll call it RIPT01-SSH, with the following basic options. We connect to the locally forwarded port (11095) that connects to the SSH server running on the RIPT Server.

Host Name: root@127.0.0.1

Port: 11095
Putty (SSH) - General
Putty (SSH) – General

It will require key authentication on the RIPT Server.

Putty (SSH) - Auth
Putty (SSH) – Auth

After making all of your changes remember to go back up to Session and click Save.

Once you’ve established a connection to RIPT01-tunnels-SS*, open RIPT01-SSH and you should be prompted to enter the passphrase for your private key. After entering it you should have a root prompt on the RIPT Server.

SSH (Linux)

We previously defined our /.ssh/config file as:

Host RIPT*
 AddressFamily inet
 User ript-relay
 Port 22
 IdentityFile /root/.ssh/ript_client
 ServerAliveInterval 10
 LocalForward 11095 127.0.0.1:12095
 LocalForward 11096 127.0.0.1:12096
 LocalForward 11097 127.0.0.1:12097
 LocalForward 11098 127.0.0.1:12098
 
Host RIPT-tunnels-SSH
 HostName riptscan.com
 StrictHostKeyChecking yes
 UserKnownHostsFile /root/.ssh/known_hosts

Host RIPT-tunnels-SSL
 HostName localhost
 ProxyCommand /usr/bin/ncat --ssl-verify <FQDN of RIPT Relay> 443
 NoHostAuthenticationForLocalhost yes

SSH with either the RIPT01-tunnels-SSH or the RIPT01-tunnels-SSL profile and then from the command line on your RIPT Client run the following.

ssh -i /ript_client -p 11095 root@localhost

VNC

As we’re running tightvnc on the RIPT Server it’s recommended to use the same client. By default, this is what’s installed on Ubuntu when ‘apt-get install vnc’ is run. The client is also available on Windows. We connect to the locally forwarded port (11096) that connects to the VNC server running on the RIPT Server.

 

TightVNC - localhost
TightVNC – localhost

 

TightVNC - Password
TightVNC – Password

 

TightVNC - RIPT Server
TightVNC – RIPT Server

Note: The first time you open the VNC client you’ll see an error message about “no session for PID ###” or something similar. This is a known issue and can safely be clicked through. It will not affect your experience.

So, we can now open a web browser from within the VNC session, point it to https://localhost:8834 and run Nessus once it’s been installed.

Nessus
Nessus

HTTP Proxy

In this example we’ll use the Squid proxy on the RIPT Server to test an internal firewall admin page.

First we set our test framework (Burp Suite) to use our HTTP proxy on the RIPT Server. We connect to the locally forwarded port (11097) that connects to Squid running on the RIPT Server.

Burp Suite -> Upstream Proxy Servers

Burp Suite - Upstream Proxy
Burp Suite – Upstream Proxy

Burp Suite runs a local proxy to intercept traffic on port 8080 by default.

Burp Suite - Local Proxy
Burp Suite – Local Proxy

We can configure our our web browser to use Burp Suite’s connection to our RIPT Server’s Squid proxy.

Browser - Proxy Settings
Browser – Proxy Settings

We can now access an internal client firewall administration page from our RIPT Client and use Burp Suite running on our RIPT Client to test it.

Web Application Testing
Web Application Testing

SOCKS Proxy

To demonstrate the SOCKS proxy capability we’ll access a database running in the same environment as the RIPT Server from the RIPT Client.

First we need to define the SSH ‘client’ (SOCKS part 2) configuration and then establish that tunnel as it is the only one we do not autorun.

From our SSH config (this should look familiar).

Host client
 HostName localhost
 AddressFamily inet
 User root
 Port 22
 IdentityFile /root/.ssh/ript-01.id_rsa
 LocalForward 9999 192.168.1.69:3306
 ServerAliveInterval 10
 ServerAliveCountMax 3
 ExitOnForwardFailure yes
 NoHostAuthenticationForLocalhost yes

Create the tunnel to the database.

ssh -i /root/.ssh/ript-01.id_rsa client

This will likely fail with the following error message.

Permission denied (publickey).

This is because we’ve added the public key for the RIPT Server to the RIPT Relay, and the public key for the RIPT Client to both the RIPT Relay and the RIPT Server, but we haven’t added the RIPT Server’s public key to itself. Here we’re actually attempting to SSH to ourselves.

So let’s add it.

vi/vim/nano /root/.ssh/authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYLth9fKJYB9NU79L3OasBUOTVrnIRBgJH4VwVPhXs23xnpG4sYmDel3xoChglPvM50wgkWxm/JFcrW5DHi4ndkZBR8Wp6bSvEVkijIYejDdeJVfmmpChnJopGgPO5w+vDTgP5I1fjDQvocXscjPJdAqFEQKtWOoGd+SzpCfwG4wD/egHMZIchLjpkexuJpG9k2Q5cgqRd/CEAJ0QL8+4lqbYCqapw6zIBZiOHnv3WR3QXhSY1gvX1Isri1D7Oh8ZFI7jqv0cYteX2f1iDbfwN6YYqkkIA6BrkMBincC/FSZ/mpo8hlRRnIrcCHfYrSVc3bsuocesz/b/UJngVzCjV root@ript-01

Now try the connection again.

ssh -i /root/.ssh/ript-01.id_rsa client

You should be returned to a command prompt. You’re actually in a new shell. Going forward you’ll likely want to just create the tunnel and return (-NfT) or something similar.

Now on the RIPT Client we’ll use SquirrelSQL to connect to the remote database. We connect to the locally forwarded port (11098) that connects to the SOCKS proxy we setup on the RIPT Server.

SOCKS Proxy - SQuirreL SQL
SOCKS Proxy – SQuirreL SQL

And test the connection.

SOCKS Proxy - Database Connectivity
SOCKS Proxy – Database Connectivity

File Transfer

To get files to and from the RIPT Server you can command line it or Filezilla has the ability to use key authentication. Go to Edit -> Settings -> SFTP -> Add key file…

FileZilla - Public Key Authentication
FileZilla – Public Key Authentication

Once you have your tunnels established you can connect to the RIPT Server with the following settings.

Host: sftp://127.0.0.1

Username: root

Password: <blank>

Port: 11095

Note: Leaving the password blank will force the key authentication. You should be prompted for your passphrase and then logged in.


That’s all for now. Hope you enjoyed it! Some of the things I’m working on for future iterations include the cloning of RIPT Servers and the dockerization of RIPT Clients.

If I made any mistakes I’m sure I’ll hear about it, but if you have any cool/novel ideas I’d be interested in those as well. Leave a comment – I moderate them occasionally.

Cheers!

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *