GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → mikroskeem → tosh

mikroskeem / tosh

Licence: MIT license
Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code...

Programming Languages

rust
11053 projects
Nix
1067 projects

Labels

sshipv6totpctfsecurity-by-obscuritymoving-target-defensetosh

Projects that are alternatives of or similar to tosh

Sshttp
SSH/HTTP(S) multiplexer. Run a webserver and a sshd on the same port w/o changes.
Stars: ✭ 766 (+88.67%)
Mutual labels:  ssh, ipv6
Cnp3
Computer Networking : Principles, Protocols and Practice (first and second edition, third edition is being written on https://github.com/cnp3/ebook)
Stars: ✭ 471 (+16.01%)
Mutual labels:  ssh, ipv6
Totp Ssh Fluxer
Take security by obscurity to the next level (this is a bad idea, don't really use this please)
Stars: ✭ 811 (+99.75%)
Mutual labels:  ssh, totp
Stowaway
👻Stowaway -- Multi-hop Proxy Tool for pentesters
Stars: ✭ 500 (+23.15%)
Mutual labels:  ssh, ctf
Cli
🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
Stars: ✭ 2,151 (+429.8%)
Mutual labels:  ssh, totp
BinV
👓 Yet another binary vulnerbilities checker. An automated vulnerability scanner for ELF based on symbolic execution.
Stars: ✭ 25 (-93.84%)
Mutual labels:  ctf
ctf writeups
No description or website provided.
Stars: ✭ 25 (-93.84%)
Mutual labels:  ctf
watchman
AML/CTF/KYC/OFAC Search of global watchlist, sanctions, and politically exposed person (PEP)
Stars: ✭ 167 (-58.87%)
Mutual labels:  ctf
freebind
IPv4 and IPv6 address rate limiting evasion tool
Stars: ✭ 88 (-78.33%)
Mutual labels:  ipv6
rustotpony
🐴 RusTOTPony — CLI manager of one-time password generators aka Google Authenticator
Stars: ✭ 18 (-95.57%)
Mutual labels:  totp
sshecret
I can keep a SSHecret
Stars: ✭ 56 (-86.21%)
Mutual labels:  ssh
docker-nginx-certbot
Automatically create and renew website certificates for free using the Let's Encrypt certificate authority.
Stars: ✭ 367 (-9.61%)
Mutual labels:  ipv6
essh
Extended ssh command
Stars: ✭ 42 (-89.66%)
Mutual labels:  ssh
alpine-desktop
No description or website provided.
Stars: ✭ 13 (-96.8%)
Mutual labels:  ssh
trezor-ssh-agent
Trezor SSH Agent for Windows (Putty, WinSCP and more) + KeepKey supported!
Stars: ✭ 54 (-86.7%)
Mutual labels:  ssh
adfsmfa
MFA for ADFS 2022/2019/2016/2012r2
Stars: ✭ 86 (-78.82%)
Mutual labels:  totp
CTF-Script-And-Template-Thrift-Shop
[180+ scripts] There are a few genuine gems in there. And a lot of spaghetti code. Most of these scripts were for solving CTF's. If you googles something for a CTF and landed here look at the scripts they're all fairly malleable. Sorry for the shitty naming conventions (not really). If you are a recruiter stop. I wont be able to rewrite half thi…
Stars: ✭ 38 (-90.64%)
Mutual labels:  ctf
go-net-radix
Go bindings for radix tree library for fast subnet (IPv4 and IPv6) lookups
Stars: ✭ 37 (-90.89%)
Mutual labels:  ipv6
girltalk
A tool for helping stand up headless C2 for droppables.
Stars: ✭ 16 (-96.06%)
Mutual labels:  ssh
uC-TCP-IP
A compact, reliable, high-performance TCP/IP protocol stack. Features dual IPv4 and IPv6 support, an SSL/TLS socket option, and support for Ethernet, Wi-Fi, and PHY controllers.
Stars: ✭ 66 (-83.74%)
Mutual labels:  ipv6
View All Similar Projects ➔

tosh

Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code...

Inspired from this tweet (Wayback machine)

Looking for a way simpler, bash implementation? Check out old branch.

Notes

This was made because... I could make it, not if I should make it. Yes, you read it right - it's a toy. Only use it if you know what you are doing. I am not up to handholding, preventing any footguns nor basic support requests.

Its purpose is just to add a layer of obscurity, it's probably only effective against bots (allthough most of them disappear after moving on to IPv6) and script kiddies. If you're being targeted by e.g government agencies or people who definitely know what they do, then this probably won't help you.

Using this on top of unconfigured (in other words, running stock configuration) SSH server is always a bad idea, so please configure your SSH server to e.g do only public key authentication, disable login for unnecessary users (e.g allow only members of group canssh to login) etc.

To make things more fun, you may want to adjust your firewall rules to forward to SSH tarpit by default.

Besides that, you NEED to ensure that your server and client times are in sync. You might want to look into chrony.

A few great alternatives to this:

Usage

Assign yourself an IPv6 subnet, replace last 6 hex characters with x.

fd15:4ba5:5a2b:1008:20c:29ff:fe1a:9587 -> fd15:4ba5:5a2b:1008:20c:29ff:fexx:xxxx

Create a base32 TOTP secret, using e.g gen-oath-safe mikroskeem totp

$ export TOSH_IP_TEMPLATE=fd15:4ba5:5a2b:1008:20c:29ff:fexx:xxxx
$ export TOSH_TOTP_SECRET=3OBVZP4AI74OIJO5YGV3UEXKXS6ISJ6H
$ tosh generate
fd15:4ba5:5a2b:1008:20c:29ff:fe59:3001

Example setups

Roadmap

  • Describe example setup with iptables & systemd
  • ssh wrapper (ProxyCommand feature?)

FAQ

Why Rust?

I am looking forward to building a cross-platform program easily, which works even on Windows.

Where's client?

Not done yet. Reference implementation will work inside ssh ProxyCommand option.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].