Dropbox 20 – Dropbox Client (SSH/VNC/HTTP Proxy/SOCKS Proxy)

All the previous steps were just to get us to here. We can now access the Dropbox Server via SSH or VNC. We can use it as an HTTP Proxy for web application testing or as a SOCKS proxy for anything that supports such things, like database testing.

Let’s walk through a few of those activities.

Note: As in previous examples, these assume that you’re working with Dropbox Server 01, adjust port numbers accordingly if working with other systems.

SSH (Windows)

It doesn’t matter if you’ve accessed the Dropbox Relay directly via SSH or through an SSL/TLS encapsulated tunnel. Here’s how to configure Putty to SSH to the Dropbox Server.

Create a Session, we’ll call it DBOX01-SSH, with the following basic options. We connect to the locally forwarded port (11095) that connects to the SSH server running on the Dropbox Server.

Host Name: root@127.0.0.1

Port: 11095
Putty (SSH) – General

It will require key authentication on the Dropbox Server.

Putty (SSH) – Auth

After making all of your changes remember to go back up to Session and click Save.

Once you’ve established a connection to DBOX01-tunnels-SS*, open DBOX01-SSH and you should be prompted to enter the passphrase for your private key. After entering it you should have a root prompt on the Dropbox Server.

SSH (Linux)

We previously defined our /.ssh/config file as:

Host DBOX*
 AddressFamily inet
 User dbox-relay
 Port 22
 IdentityFile /root/.ssh/dbox_client
 ServerAliveInterval 10
 LocalForward 11095 127.0.0.1:12095
 LocalForward 11096 127.0.0.1:12096
 LocalForward 11097 127.0.0.1:12097
 LocalForward 11098 127.0.0.1:12098
 
Host DBOX-tunnels-SSH
 HostName <FQDN of Drobox Relay>
 StrictHostKeyChecking yes
 UserKnownHostsFile /root/.ssh/known_hosts

Host DBOX-tunnels-SSL
 HostName localhost
 ProxyCommand /usr/bin/ncat --ssl-verify <FQDN of Dropbox Relay> 443
 NoHostAuthenticationForLocalhost yes

SSH with either the DBOX01-tunnels-SSH or the DBOX01-tunnels-SSL profile and then from the command line on your Dropbox Client run the following.

ssh -i /dbox_client -p 11095 root@localhost

VNC

As we’re running tightvnc on the Dropbox Server it’s recommended to use the same client. By default, this is what’s installed on Ubuntu when ‘apt-get install vnc’ is run. The client is also available on Windows. We connect to the locally forwarded port (11096) that connects to the VNC server running on the Dropbox Server.

 

TightVNC - localhost
TightVNC – localhost

 

TightVNC - Password
TightVNC – Password

 

TightVNC - RIPT Server
TightVNC – Dropbox Server

Note: The first time you open the VNC client you’ll see an error message about “no session for PID ###” or something similar. This is a known issue and can safely be clicked through. It will not affect your experience.

So, we can now open a web browser from within the VNC session, point it to https://localhost:8834 and run Nessus once it’s been installed.

Nessus
Nessus

HTTP Proxy

In this example we’ll use the Squid proxy on the Dropbox Server to test an internal firewall admin page.

First we set our test framework (Burp Suite) to use our HTTP proxy on the Dropbox Server. We connect to the locally forwarded port (11097) that connects to Squid running on the Dropbox Server.

Burp Suite -> Upstream Proxy Servers

Burp Suite - Upstream Proxy
Burp Suite – Upstream Proxy

Burp Suite runs a local proxy to intercept traffic on port 8080 by default.

Burp Suite - Local Proxy
Burp Suite – Local Proxy

We can configure our our web browser to use Burp Suite’s connection to our Dropbox Server’s Squid proxy.

Browser - Proxy Settings
Browser – Proxy Settings

We can now access an internal client firewall administration page from our Dropbox Client and use Burp Suite running on our Dropbox Client to test it.

Web Application Testing
Web Application Testing

SOCKS Proxy

To demonstrate the SOCKS proxy capability we’ll access a database running in the same environment as the Dropbox Server from the Dropbox Client.

First we need to define the SSH ‘client’ (SOCKS part 2) configuration and then establish that tunnel as it is the only one we do not autorun.

From our SSH config (this should look familiar).

Host client
 HostName localhost
 AddressFamily inet
 User root
 Port 22
 IdentityFile /root/.ssh/dbox-01.id_rsa
 LocalForward 9999 192.168.1.69:3306
 ServerAliveInterval 10
 ServerAliveCountMax 3
 ExitOnForwardFailure yes
 NoHostAuthenticationForLocalhost yes

Create the tunnel to the database.

ssh -i /root/.ssh/dbox-01.id_rsa client

This will likely fail with the following error message.

Permission denied (publickey).

This is because we’ve added the public key for the Dropbox Server to the Dropbox Relay, and the public key for the Dropbox Client to both the Dropbox Relay and the Dropbox Server, but we haven’t added the Dropbox Server’s public key to itself. Here we’re actually attempting to SSH to ourselves.

So let’s add it.

vi/vim/nano /root/.ssh/authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYLth9fKJYB9NU79L3OasBUOTVrnIRBgJH4VwVPhXs23xnpG4sYmDel3xoChglPvM50wgkWxm/JFcrW5DHi4ndkZBR8Wp6bSvEVkijIYejDdeJVfmmpChnJopGgPO5w+vDTgP5I1fjDQvocXscjPJdAqFEQKtWOoGd+SzpCfwG4wD/egHMZIchLjpkexuJpG9k2Q5cgqRd/CEAJ0QL8+4lqbYCqapw6zIBZiOHnv3WR3QXhSY1gvX1Isri1D7Oh8ZFI7jqv0cYteX2f1iDbfwN6YYqkkIA6BrkMBincC/FSZ/mpo8hlRRnIrcCHfYrSVc3bsuocesz/b/UJngVzCjV root@dbox-01

Now try the connection again.

ssh -i /root/.ssh/dbox-01.id_rsa client

You should be returned to a command prompt. You’re actually in a new shell. Going forward you’ll likely want to just create the tunnel and return (-NfT) or something similar.

Now on the Dropbox Client we’ll use SquirrelSQL to connect to the remote database. We connect to the locally forwarded port (11098) that connects to the SOCKS proxy we setup on the Dropbox Server.

SOCKS Proxy – SQuirreL SQL

And test the connection.

SOCKS Proxy – Database Connectivity

File Transfer

To get files to and from the Dropbox Server you can command line it or Filezilla has the ability to use key authentication. Go to Edit -> Settings -> SFTP -> Add key file…

FileZilla - Public Key Authentication
FileZilla – Public Key Authentication

Once you have your tunnels established you can connect to the Dropbox Server with the following settings.

Host: sftp://127.0.0.1

Username: root

Password: <blank>

Port: 11095

Note: Leaving the password blank will force the key authentication. You should be prompted for your passphrase and then logged in.


That’s all for now. Hope you enjoyed it! Some of the things I’m working on for future iterations include the cloning of Dropbox Servers and the dockerization of Dropbox Clients.

If I made any mistakes I’m sure I’ll hear about it, but if you have any cool/novel ideas I’d be interested in those as well. Leave a comment – I moderate them occasionally.

Cheers!

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *