SSH Tunneling

MITRE ATT&CK™ Protocol Tunneling - Technique T1572

Theory

SSH tunneling, also known as "SSH port forwarding," is a method that uses the secure shell (SSH) protocol to create encrypted tunnels for network connections. SSH tunneling may be used for covert communication and circumventing network security measures.

Practice

SSH Port Forwarding

By using a SSH client with an OpenSSH server, it's possible to create both forward and reverse connections to make SSH tunnels, allowing us to forward ports, and/or create proxies.

Port Forwarding

Sshuttle

Sshuttle uses an SSH connection to create a tunnelled proxy that acts like a new interface. In short, it simulates a VPN, allowing us to route our traffic through the proxy. As it creates a tunnel through SSH, anything we send through the tunnel is also encrypted.

We can create our tunnelled proxy by connecting with schuttle to the compromised host's SSH server.

# Create Tunnel
# SUBNET: specify your subnet (e.g 172.16.0.0/24)
sshuttle -r <USER>@<TARGET_IP> <SUBNET>

# Automatically determine the subnets
sshuttle -r <USER>@<TARGET_IP> -N

# Exclude the specific ip (-x)
sshuttle -r <USER>@<TARGET_IP> <SUBNET> -x <remote-ip>

If you don't know the user's password but have an SSH Key, we may use following command

sshuttle -r <USER>@<TARGET_IP> --ssh-cmd "ssh -i KEYFILE" <SUBNET>

If you get the error "Failed to flush caches: Unit dbus-org.freedesktop.resolve1.service not found...", you need to flush DNS cache.

sudo systemctl enable systemd-resolved.service
sudo resolvectl flush-caches

Run sshuttle again.

Resources

TryHackMe | WreathTryHackMe

SSH (Secure Shell) Pentesting | Exploit Noteshideckies

Last updated 1 year ago