While SSH is a powerful tool for controlling a computer remotely, not all applications can be run over the command line. Some apps (like Firefox) and hacking tools (like Airgeddon) require opening multiple X windows to function, which can be accomplished by taking advantage of built-in graphical X forwarding for SSH.
SSH, or the secure shell, is the de-facto way or accessing a computer remotely, allowing anyone to log in and administer a computer over a local or remote network. Many useful apps can be controlled this way, but those requiring an interactive window aren't able to open when summoned over SSH. To make this happen, we'll need to forward the data from the remote computer to a server running on our local machine, which will display the remote application in a window on our local screen.
Most hackers are familiar with the basic use of SSH for everything from accessing your Linux system remotely to transferring files over a network. For command-line applications, SSH can give you complete control without any modifications, running programs like Besside-ng, Bettercap, and Kismet without any issues.
The limitations of SSH become clear as soon as we try to do something like run Airgeddon, which requires multiple windows to open and execute programs to feed data back to the main program. Without launching these programs in additional graphical windows, Airgeddon won't work, making it seemingly useless for a hacker with only a remote SSH connection.
If you want to run something more complicated than a command-line program, SSH has us covered by offering x11 forwarding. This means that, provided that there is a graphical X window running on the remote computer, we can forward the data from the application running on the remote machine to make it look like it's running on the local device instead.
There are two kinds of graphical X forwarding, trusted and untrusted. In trusted X forwarding, we ensure that the application we're running doesn't crash by disabling certain security checks designed to crash the connection if the app violates specific security policies. In an untrusted connection, we have greater security when connecting to an untrusted computer network, but also have a higher likelihood of the application crashing.
Because graphical X forwarding is enabled by default on most Linux systems, running applications over SSH is a lot easier to do than setting up a VNC server from scratch. This makes it a useful skill for any hacker wanting to do anything from injecting websites into a target's web history to running tools that require opening multiple windows to function.
To follow this guide, you'll need to have two computers connected to the same network. Both will need to have SSH installed and running.
On your remote computer, you'll need to have an SSH server enabled and running. If you have Linux, no modifications should be required, but on macOS or Windows, we'll need to change things in a later step.
On your local machine, Linux should come with a graphical X window preinstalled, but you'll need to install one for this to work on Windows of macOS. If your local machine is a MacBook or another macOS device, you can download and install XQuartz to run a graphical X window server. If you're running Windows, you can use Xming to do the same thing.
- Don't Miss: Brute-Force Nearly Any Website Login with Hatch
The first step will be to enable graphical X forwarding on the server that is running on the computer you want to access remotely. This will differ slightly depending on the operating system this system is using.
If the remote computer is running Linux, then x11 forwarding is enabled by default, and you don't need to do anything. If the remote computer you're logging in to is running macOS, you will need to edit your sshd_config file.
~$ nano /etc/ssh/sshd_config
If sshd_config includes #X11Forwarding no (or just X11Forwarding no), change it to X11Forwarding yes instead, and you can see below.
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. ... #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # pass locale information AcceptEnv LANG LC_* # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding yee # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server
Press Ctrl-X and then Y to save the changes to this file in Nano. You should now have x11 forwarding enabled on the computer.
If you're using Windows, you'll need to make some changes to PuTTY. The program is the easiest way to get started working with SSH on Windows, and it's free to download from the official website.
You can enable X11 forwarding on PuTTY by selecting "Enable X11 forwarding" in the "PuTTY Configuration" menu under the "Connection" tab, located under the "SSH" options. Once this option is enabled, you should be able to forward graphical X sessions to remote devices from your Windows machine.
To get started, let's start a "trusted" graphical X session. Because untrusted sessions can crash fairly easily, this is the default option that is enabled on Ubuntu, as of this writing.
The difference between a trusted and untrusted session is essential when looking at security. In a trusted session, we potentially give the remote computer the ability to screenshot, keylog, and inject input into any of the windows of other programs.
In our first example, we'll use the default trusted connection to launch a Firefox window. First, let's take a look at the command we need to launch any graphical application over SSH.
~$ ssh -Y username@LOCAL_IP_ADDRESS
If we are logging into a remote computer with a username of "root" at 192.168.0.3, our command to launch Firefox would then be as follows.
~$ ssh -Y firstname.lastname@example.org firefox
If we've started our graphical X window server (such as XQuartz), we should see a Firefox window open on our local machine.
We should be able to do this with any graphical application on the system.
By default, Linux systems like Ubuntu are configured to minimize applications being forwarded over x11 crashing by treating them as trusted by default. This isn't always desired, because you may not actually trust a computer you are connecting to remotely.
The command for treating a remote system while forwarding a graphical X window is the -X option, but this won't do anything differently until we access the ssh_config file and modify it to disable trusting remote x11 connections by default. To do this, we can open up our ssh_config file with Nano again to modify the line that says ForwardX11Trusted to look like below.
Now, we can run Firefox again as an untrusted app with the following command.
~$ ssh -X email@example.com firefox
While this application may be more prone to crashing, it will also do so rather than cause security problems on your computer, which may be desirable depending on the situation.
While using SSH to access a remote computer can come with some restrictions, there are a lot of ways to get around them. Graphical X forwarding is one incredibly useful way of doing to run programs that aren't possible to run otherwise and prevent the need for installing VNC or other more complicated protocols. With graphical X forwarding, nearly any application can be run remotely from anywhere.
I hope you enjoyed this guide to opening graphical X applications over SSH! If you have any questions about this tutorial on SSH or you have a comment, ask below or feel free to reach me on Twitter @KodyKinzie.
Start your White-Hat Hacker journey with Null Byte's Beginner's Guide to Linux Course.