sshjump automates making multiple SSH hops before forwarding ports.

It's intended use-case is for when you've finally gathered a bunch of SSH creds on an engagement, and the defenders are starting to catch on.

Or, you know, just to annoy the SOC.

Please don't use for illegal purposes.

For the impatient:

Create a jumpfile named ./j containing hosts through which to jump, similar to the following:

user@target1 password SSH-2.0-OpenSSH_6.7
root@target2 pa$$w0rd SSH-2.0-SOC_wont_find_me
oracle@target3 oracle ssh_2.0-PuTTY

Jump through them with the following, pointing local port 2222 at target4's port 22 (presumably to use SSH's -D or something).

sshjump -jumps ./j -njump 0 L127.0.0.1,2222,target4,22

sshjump makes a series of jumps through SSH servers. It then forwards ports through the last server, similar to OpenSSH's -L and -R options. This is useful in obscuring the true origin of a connection during a pentest or red team engagement.

The jumps are read from a file (the jumpfile), which should contain the username, hostname, and password for the SSH server, as well as the SSH version string (e.g. SSH-2.0-OpenSSH_7.3) to presesnt to the server. A subset of the jumps in the jumpfile may be used (-njump, by default the first 5), and the order in which jumps are tried may be shuffled to further confuse the defenders (-shuffle).

Instead of a password, a PEM-encoded SSH key (e.g. as generated by ssh-keygen) may be used by prefixing the filename with key: and using that in place of the password. Keys will be search for in the directory named by -keydir, unless an absolute path is specified.

Before forwing ports, a test connection is made through the last jump. By default this is to check.torproject.org:443, but this can be changed to something suitable for the environment.

Each port forwarding specification starts with an L or an R, and consists of four comma-separated parts: the listen address, the listen port, the target address, and the target port. Multiple space-separated specifications may be given on the command line.

With L, a listening socket is opened on the local host (the host runnnig sshjump not necessarily 127.0.0.1, it can be only on an external address), and any connection made to that socket will be proxied through the last jump via the other connections to the target address and port.

L0.0.0.0,2222,10.3.4.28,22 will cause the local host to listen on port 2222 on all addresses, and any connection to 2222 on the local host will be proxied to 10.3.4.28:22.

With R, a listening socket is opened on the last jump (if the SSH configuration allows it), and connections are proxied via the local host to the target address and port.

R192.168.0.1,3189,127.0.0.1,3189 will listen on port 3189 on the remote host on 192.168.0.1, and forward all connections made to that to port 3389 on the loopback interface of the host running sshjump.

Standard Go procedure

go get -u github.com/magisterquis/sshjump
go install github.com/magisterquis/sshjump

Usage: sshjump [options] fwdspec [fwdspec...]

The jumpfile must contain lines of the form
user@host password versionstring

Each fwdspec should be of one of the following forms

L<laddr>,<lport>,<targetaddr>,<targetport>
R<raddr>,<rport>,<targetaddr>,<targetport>

The fwdspecs are similar to OpenSSH's -L and -R options, but always consist of
two address/port pairs.

Options:
  -connto timeout
    	TCP connection timeout (default 10s)
  -exittest target
    	Host and port on target to test last jump forwarding ability (default "check.torproject.org:443")
  -hsto timeout
    	SSH handshake timeout (default 15s)
  -jumps file
    	Name of file containing SSH jumps
  -kaint interval
    	SSH keepalive interval (default 1s)
  -njump N
    	The first N working jumps in the jumpfile will be used, or 0 to use all of the jumps (default 5)
  -shuffle
    	Shuffle the list of jumps

This code hasn't been very thoroughly tested, so please don't use it in production without sufficient testing, unless you don't particularly like your client. Feel free to send feature requests, bug reports, and bugfixes if you do.

It should compile and run just fine on Windows (I'm looking at you, former employer), which is handy for those "here, have a user desktop, don't plug in your computer" situations.

Binaries available upon request.