How to connect to Azure with SSH Tunneling

Have you just created your first Azure VM and are looking for a good, secure way to connect to you new machine without exposing more than necessary to the internet? Maybe you just want to run a few machines and don’t want to spend money on firewalls to configure VPN to your Azure Virtual Network (VNET)?

Connect-to-Azure-SSH-tunneling

In this post I will explain a method that can be used to connect to your machine securely without any cost. After reading this post you will know how you can set up a SSH tunnel to your machine so you only need to expose TCP port 22 to the internet. I will also show you how you can limit the access to that port by configuring a Network Security Group (NSG) in Microsoft Azure to only allow your own IP to connect. You will connect to the VM using Putty and either Google Chrome or Mozilla Firefox. We start off by configuring the NSG in Azure.

Configuring NSG in Azure:
The first thing that we need to do is to allow you to SSH to your machine and we do that by configuring the NSG. You want to modify the inbound security rule named ‘default-allow-ssh’ and you do that by clicking on ‘Inbound security rules’ in the left menu.

nsg

You should now add your public IP to the rule to allow you to connect from your home network. You probably know how to get your public IP but if you don’t know, one simple way is by visiting https://ipinfo.io and copy the address from there.

publicip

When you have the IP ready, click on the ‘default-allow-ssh’-rule to expand it and then add your IP to ‘Source IP addresses/CIDR ranges’ and press ‘Save’.

nsg2

The Azure configuration is now done. Lets move on to the Putty configuration.

Configuring Putty:
If you don’t have Putty installed you can download it from the official website and then just install it. After you have installed the software the first step is to run Putty and add the public IP of your Azure VM and select SSH port 22.

putty

Then navigate to SSH and check ‘Don’t start a shell or command at all’.

putty2

Move on by expanding SSH (+) and go to Tunnels. Add a forwarded port by choosing ‘Source port’. In this example we use port 1080. Select ‘Dynamic’ for destination and then press ‘Add’. Now you should see ‘D1080’ added above.

putty3

If you don’t want to configure these settings every time you want to use the tunnel you can save the session. That is done by going back to ‘Session’ and enter a name and then press ‘Save’.

putty4

Now the tunnel is ready and we just need to start it. Click on ‘Open’, enter your SSH credentials and press enter and the tunnel should be up and running.

Verify that the tunnel works:
You will probably want to make sure that the tunnel works as expected and we can verify that by configuring a simple HTTP server on the VM. In this example CentOS7 was used but it can be done on most machines.

Step one is to open another putty window and connect to you VM via SSH. Navigate to your home folder (cd /home) and create a directory (mkdir testfolder). Cd into that folder and create a testfile (touch text.txt). Then run the following command to run a python based HTTP-server on port 80.

sudo python -m SimpleHTTPServer 80

Your server will now listen for incoming connections on port 80. But since you don’t allow any connections to port 80 in the NSG you won’t be able to go directly to port 80. We need to send our HTTP traffic in the SSH tunnel to be able to reach it and we do that by configuring proxy settings in our web browser. This can be done in most of the common browsers and I will show you how to do it in Firefox and Chrome.

Chrome:
To configure proxy for Chrome you just right click on Chrome in the task bar and select ‘Properties’. You then need to add some run parameters.

chrome

The parameters you should add are:

--user-data-dir="%USERPROFILE%\proxy-profile" 
--proxy-server="socks5://127.0.0.1:1080"

Firefox:
For Firefox you just open up the browser, open the menu (1) and click on ‘Options’ (2).

firefox

Then you search for proxy and click on ‘Settings’

proxyfirefox

Select ‘Manual proxy configuration'(3) and then add ‘Socks Host 127.0.0.1 Port 1080′(4) and ‘SOCKS v5’ like in the example below.

firefox-proxy

After configuring the proxy settings you can just browse to the internal IP of your Azure VM. You can find the internal IP in the overview of the VM.

az-vm-private-ip

Then just browse to the IP ‘http://10.0.0.4’

result

Voila, you should now see the test file (test.txt) that you created earlier.

I really hope you found this guide useful, if you have any questions or reflections please send me a message on twitter.

/Rickard

Crunch

Today I will continue to write about tools that you can use to generate wordlists. Today we will take a look at crunch.

crunch
Where you can find crunch in Kali Linux.

Background and the functionality:
Crunch is another great tool that can be used to create wordlists. The tool was initially released in 2004 and the author is bofh28 according to tools.kali.org.

You use the tool to generates wordlists based on the charset you specify.

How to get started with Crunch:
To make sure that you have crunch installed, which comes pre-installed with Kali, you just open up the terminal and write crunch.

installed

If you start off by running the tool with only the required parameters you will get all possible words using all characters. So if you for example run “crunch 8 8” you will get all words that are eight characters long.

You can also specify which characters you want to use for your wordlist.

t-768x390

In the example above you can see that we specified all worlds between 5-6 that uses the following charcters: abcd123.

3-2
Here you can see the start and end of the file we just created.

-o
With the -o variable you can chose where the output should be saved.
Example: crunch 8 8 -o wordlist.txt

-b
With the -b parameter you can specify how big wordlist-files you want. In the example below I first created a wordlist with the size of ~2kB. When I use the -b parameter to define that each file only can be 1kB big you see that three files was created instead and none of them were bigger than 1kB.

b
An example of how you can use the -b parameter.

-i
With the -i parameter you can invert the order of the words. If you use crunch 3 3 without using the -i parameter you will get a file that starts with

  • aaa
  • aab
  • aac

If you use -i you will instead get the following result:

i

-t
The -t parameter is one of my favorites to use. If you know that a password uses a special pattern you can use the -t parameter to specify that pattern and reduce the amount of words in your list significantly and make your wordlist more efficient.

A normal use case can be that you got information about that many users in your targets company creates passwords based on the current season, for example Summer2019! . You can then create a wordlist based on that structure.

t-768x390
An example on how you can use the -t parameter.

You can use the following characters to build your patterns:

  • @ will insert lower case characters
  • , will insert upper case characters
  • % will insert numbers
  • ^ will insert symbols

-z
You can also use the -z parameter to compress and create an archive-file. You can choose between gzip, bzip2, lzma and 7z. Gzip is fastest but compression is minimal while 7z is slowest with best compression.

z
An example on how you can use the -z parameter.

That was everything for this time. Please contact me if you feel like I missed something or if you want to share any special tips and tricks for Crunch.

Thanks
/R

Cewl

This is the first blog post in my series where I will go through all built-in Kali Linux tools. I will write information about how the tools work and give you examples on when to use them. This will be an excellent way for me to learn the tools in depth and hopefully it can come in handy for some of you.
I won’t get much enjoyment if I write about them in one by one from top to bottom since that will be boring. The first tool I will write about is from section 05- Password Attacks and the tool I have chosen to start with is CeWL.

Background and the functionality:
CeWL is a tool that was created by Robin Wood and it is used for creating custom word lists based on the text from a target website. It can come in handy to use this tool if you are doing a pen test and you haven’t been successful with your usual word lists and want to create one that is more customized for the target company.

cewl
CeWL from Kali Linux

CeWL are built in Ruby and the main idea is that the program spiders the specified URL according to the configuration and returns a list of words that was found on that site. These custom word lists can later be used when trying to crack passwords with the other available tools. In a later post I will show you how that is being done.

How to get started with CeWL:
So how do you use CeWL then? It’s pretty easy and straight forward and you can get out the most information from the manual which you get by running “man cewl”. I will go through some of the most common options that you can configure and these are:

  • -w
  • -d
  • -m
  • –with-numbers
  • -c
  • -e

-w
Define where the word list should be saved. example: customwordlist.txt
-d
Define the depth the scan should spider. Default value is 2 and that means that it will go to all links that are presented on the defined URL and collect words from them as well.
-m
Define the minimum length of a word. No words with less characters than this will be saved.

So let’s try it and see how it works in practice. For this example I will just use a website that I know include many words and which site are better than Wikipedia? I’ve set the parameters to depth = 1 and characters = 10.

An example on how to use CeWL to generate a custom word list based on a URL.

It can take some time if you want to spider through many sites but if you use a configuration like mine it will be very quick and in this example I got out 1895 useful words.

wordcount
An example on how you can count the number of files in the file.

–with-numbers
Accept words where numbers are included as well. Like for example the word below. “Riteshkumar1256”.

In the figure you can see the first ten entries in the list that was created.

-c – counts number of entries
If you add the -c parameter the tool will also count how many times each word was found on the site. You can use that for many purposes and one example is that you easy can find out which words the company likes to mention and that might be something users uses in their passwords.

An example on how you can use the -c parameter for CeWL.

-e – includes email addresses
You can also save all email addresses that can be found on the website to a file. Perfect for recon and helps you find mailboxes at the target company. If you also include –email file you can specify where you want to save the emails addresses.

An example on how you can use the -e parameter for CeWL.

That was everything for this time. Please contact me if you feel like I missed something or if you want to share any special tips and tricks for using CeWL?

Thanks
/Rickard

Copyright © 2022