Search
SSH Tunneling
4 min read

SSH Tunneling

Zinhart's Picture
Zinhart in notes ssh tunneling firewall evasion

SSH Tunneling Table of Contents

There are alot of guides on ssh tunneling, when I was studying for me OSCP none of them quite had everything I wanted. Either they were lacking a comprehensive explation or syntax. Here is list all of the ssh tunneling techniques I’ve found useful with explations and copy paste style syntax.

SSH port forwards(local & remote) can be run as non-root users as long as we only bind unused non-privileged local ports (above 1024).

Local Port Forwarding

SSH local port forwarding allows us to tunnel a local port to a remote server using SSH as the transport protocol. The effects of this technique are similar to rinetd port forwarding, with a few twists.
Essentially we circumvent the firewall by sending traffic through ssh to a entirely different port on a machine connected to the target.

Local Port Forwarding Syntax:

ssh -N -L [bind_address:]port:host:hostport [username@address]

With local port forwarding the username@address would be credentials to the computer that we want to reach host through.

Remote Port Forwarding

The remote port forwarding feature in SSH can be thought of as the reverse of local port forwarding, in that a port is opened on the remote side of the connection and traffic sent to that port is forwarded to a port on our local machine (the machine initiating the SSH client).
In short, connections to the specified TCP port on the remote host will be forwarded to the specified port on the local machine.
Essentially if the firewall was blocking inbound connections but not outbound connections through remote port fowarding we can ssh OUT instead of IN.

Remote Port Forwarding Syntax:

ssh -N -R [bind_address:]port:host:hostport [username@address]

With remote port forwarding the username@address would be credentials to the computer who is running the ssh server the target machine will connect to (usually us) .

SSH Dynamic Port Forwarding

Dynamic port forwarding allows us to, target additional ports on the target machine, or hosts on the internal network without having to establish different tunnels for each port or host of interest.
ssh -D specifies a local dynamic SOCKS4 application level port forwarding tunneled within SSH.

Dynamic Port Forwarding Syntax:

ssh -N -D <address to bind to>:<port to bind to> <username>@<address>

Just like with local port forwarding, in dynamic portforwarding the username@address would be credentials to the computer that we want to reach host through.

Proxychains

Although we have started an application proxy that can route application traffic to the target network through the SSH tunnel, we must somehow direct our reconnaissance and attack tools to use this proxy. We can run any network application through HTTP, SOCKS4, and SOCKS5 proxies with the help of ProxyChains.

To configure ProxyChains, we simply edit the main configuration file /etc/proxychains.conf and add our SOCKS4 proxy to it:

sudo vim /etc/proxychains.conf

OR

sudo echo 'socks4 <ip> <port>' >> /etc/proxychains.conf

To run our tools through our SOCKS4 proxy, we prepend each command with proxychains.
A word about proxychains By default, ProxyChains will attempt to read its configuration file first from the current directory, then from the user’s $(HOME)/.proxychains directory, and finally from /etc/proxychains.conf. This allows us to run tools through multiple dynamic tunnels, depending on our needs.
You can only use TCP techniques with the help of the -sT flag as ICMP/UDP scans won’t work.

Proxychains And Dynamic Tunneling Example

Because we can forward arbritrary ports with dynamic port forwarding, we can for example login to a domain controller, that is not directly routable to us, through a client machine, through a dynamic port forward on our machine(Assuming we have credentials on the client machine).
Here is an example. We assume a proxy has been set up at /etc/proxychains.conf on port 9050 and login to the domain controller.

sudo ssh -N -D 127.0.0.1:9050 [email protected] 
sudo proxychains xfreerdp /u:administrator /p:lab /v:172.16.187.5 /cert:ignore /dynamic-resolution &

SSH Reverse Dynamic Port Forwarding

The exact opposite of dynamic port forwarding. We can open up an entire subnet through our socks proxy.

ssh -N -R *:<socks port> kali@YOURIP

SSH Jump hosts

ssh -J user1@host1 -p host1port user2@host2 -p host2port

You may also like

XXE Injections
1 min read

XXE Injections

Abusing XML Parsers

Zinhart's Picture
Zinhart in notes xxe awae
Server Side Request Forgery
1 min read

Server Side Request Forgery

API Architecture, SSRF, MicroServices

Zinhart's Picture
Zinhart in notes ssrf awae
Network Modeling
1 min read

Network Modeling

Classless Internet Domain Routing

Zinhart's Picture
Zinhart in notes networking awae

Latest Posts

XXE Injections
1 min read

XXE Injections

Zinhart's Picture
Zinhart
Server Side Request Forgery
1 min read

Server Side Request Forgery

Zinhart's Picture
Zinhart

Explore Tags

Active Directory Backups Disk Encryption VM's active directory anti virus awae ciphers code code-analysis csrf devops embedded programing firewall evasion group policy jokes network pentesting networking notes offensive-security oscp oswe-notes payload-encoding pentesting pentesting methodology session-manipulation shells social engineering sqli ssh tunneling ssl-certificates ssrf system administration vagrant web development windows work xss xxe