If I have opened an ssh connection to a remote server is there any
way to check if the session includes remote port forwarding?
It would be easy if the port forwarding had been done from the command
line, e.g. if the command was 'ssh -R 12345:localhost:54321 server' one
could simply use ps or psgrep to see if there's a "-R 12345" in there.
However I can't see any way to do it if the remote forward has been
done by "RemoteForward 12345 localhost:54321" in the ssh config file.
Is there anything one can check to see the internal configuration of
a running ssh process?
That relies on being able to see the command in ps's output. There are
a number of ways that make this unreliable. Admittedly, many of which
are darker grey in color.
On 9/16/20 11:34 AM, Grant Taylor wrote:
That relies on being able to see the command in ps's output. There are
a number of ways that make this unreliable. Admittedly, many of which
are darker grey in color.
This is a very good example of where responding to something / defending against something can be very different depending on the intentions
behind whom you're trying to detect.
White hat could likely be persuaded to always use the command line
options and not do anything to obfuscate them.
Black hat could easily do a number of things to avoid detection.
Including running a program on either end to convert between a {TCP,UDP} socket and a Unix socket which can be forwarded through SSH without
using port forwarding on either end.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 285 |
Nodes: | 16 (2 / 14) |
Uptime: | 65:14:28 |
Calls: | 6,488 |
Calls today: | 1 |
Files: | 12,096 |
Messages: | 5,274,919 |