In typical enterprise networks today, ingress filtering is taken care of by firewall or similar devices. Unfortunately, the ability of devices and applications to reach the outside world is often overlooked or intentionnaly left open as Web services might need to be reacheable.
We will present a fork of an OpenSSH daemon, that is able to exploit the often loose egress filtering and maneuver around network restrictions.
Designed for more comfortable post-exploitation, it also extends regular forwarding and tunneling abilities in order to circumvent network rules that may otherwise hinder lateral movement.
In addition, it can also act as a regular SSH server listening for an incoming connection, and provides reliable interactive shell access (must be able to run top, sudo, screen, vi, etc) as opposed to crafted reverse shells or even meterpreter which allow basic commands but fail at interactive ones.
Marc-André Labonté ,
Marc-andre Labonte was a system administrator for more than a decade at the McGill Genome Center while it was known as the McGill University and Genome Quebec Innovation Center. There, he took part in the design, deployment, operation and maintenance of the data center as it went through multiple upgrade cycles to accommodate ever powerful high throughput genome sequencers coming to market.
Then, he joined the ETTIC team at Desjardins in 2016 as infrastructure penetration tester. Currently doing vulnerability research on IOT devices, he also presented "Automated contact tracing experiment on ESP Vroom32" workshop at NSEC in 2021. His work is motivated by curiosity and a strong sense of personal privacy in a world of connected devices and data hungry organizations.