"No exceptional circumstances whatsoever, whether a state of war or a threat of war, internal political instability, or any other public emergency, may be invoked as a justification of torture." -- U.N. Convention Against Torture
Today we're going over how to connect to our vmware player via ssh for our pentesting lab
Please note, if you're unfamiliar with how to set up vmware player (installing or otherwise), you can research that first
then come back to this. It is assumed that you know how to set up vmware player and install an .iso unto it. That is beyond the scope
of this how-to and is the only requirement/prerequisite for this how-to.
Doing this with root didn't work for me. While it is possible to use the root account, this how-to is done using a non-root account.
NOTICE:::For Windows Host Use ipconfig [where you see] ifconfig |Use gps or ./services.exe for systemctl status:::
Setup is simple and requires no special software or hardware.Tools needed for this are:
>> ssh
>> vmware player
>> linux/windows host.iso
>> eth0 interface
Optional tools:
nmap
step 1: start a vm instance of any distro/.iso
In my case I went with Knoppix Linux because its a live distro that requires no setup, but you can choose whatever you like.
step 2: in vmware player, set network to host-only (anything else will not work for this excercise)
as an optional, you can start services on the vmware instance to create target ports for attacking,
in my case I started vncserver, (known as Xtightvnc)
step 3: on host, start ssh service [service ssh start]
CODE :
mukyu@darkbox:~$ sudo service ssh start
step 4: on host, set a static ip address for host using same subnet class; ex: 172.16.67.[#]
where [#] is any number between 2-254, excluding the ip address of vmware player guest
CODE :
mukyu@darkbox:~$ sudo ifconfig eth0 172.16.67.130
<< host os
Note: IPADDRESS shown below was assigned via DHCP server of vmware player BEFORE setting to host-only
CODE :
For windows this is done differently...please research how to change/add the gateway using 'route add/change' for Windows systems.
I've tried several times but no luck.
CODE :
vmnet1: inet 172.16.67.1
<< vmware player ipaddress
There's no need for persistance because the vmware player will be closed eventually but you can also do:
echo nameserver 172.16.67.200 > /etc/resolv.conf
If you get an error about permission denied, it means that you cannot write to /etc/resolv.conf because of sticky-bit,
but don't worry about it because its not needed.
step 6: ssh into vmware player using ssh hostname@ipaddress - the password is the same
for your system administration. so if your password is 'sa3799' for your host username, enter
that same password for the ssh login. Where for me hostname = mukyu @ ippaddress = 172.16.67.1.
CODE :
mukyu@darkbox:~$ ssh mukyu@172.16.67.1
The authenticity of host '172.16.67.1 (172.16.67.1)' can't be established. ECDSA key fingerprint is SHA256:TKIhK+OLIUlEBo4FiGvXa0sEEvlRWjTG0wW5FfDPxLk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.67.1' (ECDSA) to the list of known hosts.
mukyu@172.16.67.1's password:
checking netstat we see our connection is establish
CODE :
mukyu@darkbox:~$ netstat -ant |grep EST
tcp 0 0 172.16.67.1:22 172.16.67.1:45476 ESTABLISHED
tcp 0 0 172.16.67.1:45476 172.16.67.1:22 ESTABLISHED
Please note, if you haven't set up ssh keys using ssh-keygen, you will need to do so
before connecting to vmware player. This will not be covered in this how-to.
step 7: using nmap or nc, scan the vmware player ipaddress to see connected devices; your
static ipaddress should be listed showing your open ports. In my case 22,443 & 902 are
my open ports.
CODE :
mukyu@darkbox:~$ nmap 172.16.67.1/24
CODE :
Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-17 17:37 EDT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 172.16.67.1
Host is up (0.0010s latency).
Not shown: 997 closed ports
PORT STATE SERVICE ##VMware player
22/tcp open ssh
443/tcp open https
902/tcp open iss-realsecure
Nmap scan report for 172.16.67.130 ## Linux HOST
Host is up (0.0013s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
902/tcp open iss-realsecure
Nmap scan report for 172.16.67.134 ## Linux Guest OS Notice the new IP address AFTER setting to host-only
Host is up (0.0012s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
5901/tcp open vnc-1
6001/tcp open X11:1
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.62 seconds
Here we can see that our session is active and successful:
CODE :
mukyu@darkbox:~$ sudo service ssh status
â ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2016-05-17 17:01:45 EDT; 59min ago
Process: 2596 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 705 (sshd)
Tasks: 1 (limit: 512)
CGroup: /system.slice/ssh.service
ââ705 /usr/sbin/sshd -D
May 17 17:01:45 darkbox sshd[705]: Server listening on :: port 22.
May 17 17:01:45 darkbox systemd[1]: Started OpenBSD Secure Shell server.
May 17 17:30:45 darkbox systemd[1]: Reloading OpenBSD Secure Shell server.
May 17 17:30:45 darkbox sshd[705]: Received SIGHUP; restarting.
May 17 17:30:45 darkbox systemd[1]: Reloaded OpenBSD Secure Shell server.
May 17 17:30:45 darkbox sshd[705]: Server listening on 0.0.0.0 port 22.
May 17 17:30:45 darkbox sshd[705]: Server listening on :: port 22.
May 17 17:35:01 darkbox systemd[1]: Started OpenBSD Secure Shell server. May 17 17:35:25 darkbox sshd[2858]: Accepted password for mukyu from 172.16.67.1 port 45476 ssh2 <<<<<< #confirmation
May 17 17:35:25 darkbox sshd[2858]: pam_unix(sshd:session): session opened for user mukyu by (uid=0)
For shorter output...use systemctl, but mind that this does not convey successful connection as service does. I've
included the example for good measure.
CODE :
mukyu@darkbox:~$ systemctl status ssh
â ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2016-05-17 17:01:45 EDT; 1h 59min ago
Process: 2596 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 705 (sshd)
Tasks: 1 (limit: 512)
CGroup: /system.slice/ssh.service
ââ705 /usr/sbin/sshd -D
Once we had our fun using ssh to vm, we can end our session with the 'exit' command.
CODE :
mukyu@darkbox:~$ exit
logout
Connection to 172.16.67.1 closed.
mukyu@darkbox:~$
Extra Mile:
We can also connect from the guest OS to the host OS via ssh and vice-versa. Connecting from the guest OS uses the credentials of the host OS and vice-versa
Explore this option on your own and have fun. Feel free to reply if having trouble.
CODE :
knoppix@Microknoppix:~$ exit
logout
Connection to 172.16.67.139 closed.
mukyu@darkbox:~$
Thank you for reading and I hope you explore more on this as you progress in your training.
This How-To only covered vmware player, however, it is possible to apply similar techniques to other virtual host such as:
vbox -- virtl -- vmware workstation -- vncviewer ..etc
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 5 comments.
HackThisSite is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.
