SSH Tunneling
MITRE ATT&CK™ Protocol Tunneling - Technique T1572
Theory
SSH tunneling, also known as "SSH port forwarding," is a method that uses the secure shell (SSH) protocol to create encrypted tunnels for network connections. SSH tunneling may be used for covert communication and circumventing network security measures.
Practice
SSH Port Forwarding
By using a SSH client with an OpenSSH server, it's possible to create both forward and reverse connections to make SSH tunnels, allowing us to forward ports, and/or create proxies.
Port ForwardingSshuttle
Sshuttle uses an SSH connection to create a tunnelled proxy that acts like a new interface. In short, it simulates a VPN, allowing us to route our traffic through the proxy. As it creates a tunnel through SSH, anything we send through the tunnel is also encrypted.
We can create our tunnelled proxy by connecting with schuttle to the compromised host's SSH server.
# Create Tunnel
# SUBNET: specify your subnet (e.g 172.16.0.0/24)
sshuttle -r <USER>@<TARGET_IP> <SUBNET>
# Automatically determine the subnets
sshuttle -r <USER>@<TARGET_IP> -N
# Exclude the specific ip (-x)
sshuttle -r <USER>@<TARGET_IP> <SUBNET> -x <remote-ip>
If you don't know the user's password but have an SSH Key, we may use following command
sshuttle -r <USER>@<TARGET_IP> --ssh-cmd "ssh -i KEYFILE" <SUBNET>
If you get the error "Failed to flush caches: Unit dbus-org.freedesktop.resolve1.service not found...", you need to flush DNS cache.
sudo systemctl enable systemd-resolved.service
sudo resolvectl flush-caches
Run sshuttle again.
Resources
Last updated
Was this helpful?