SSH tunnel

by Pany

source: https://hackertarget.com/ssh-examples-tunnels/

6. Establish a VPN over SSH

A common term amongst offensive security folks (pentesters / red  teams / etc), is to pivot into a network. Once you have a connection  established on one system that system becomes a gateway point for  further access to the network. This is known as pivoting and enables  lateral movement through the network.

We can use the SSH proxy for this and proxychains, however there are some limitations. For example we cannot use raw sockets, so Nmap SYN scans cannot be used to port scan the Internal network.

Using this more advanced VPN option we move the connectivity down to layer 3. We can then simply route traffic through the tunnel using standard network routing.

This technique uses ssh, iptables, tun interfaces and routing.

First we need these options set in the sshd_config. Since we are making interface changes on the remote system and the client system, we will need root privileges on both sides.

PermitRootLogin yes
PermitTunnel yes

Then we will establish our ssh connection using the parameter that requests tun devices be initialised.

localhost:~# ssh -v -w any root@remoteserver

Now you should have a tun device when you show interfaces (# ip a). Next step is to add IP addresses to the tunnel interfaces.

SSH Client Side:

localhost:~# ip addr add 10.10.10.2/32 peer 10.10.10.10 dev tun0 
localhost:~# ip tun0 up

SSH Server Side:

remoteserver:~# ip addr add 10.10.10.10/32 peer 10.10.10.2 dev tun0 remoteserver:~# ip tun0 up

Now we should have a direct route to the other host (route -n and ping 10.10.10.10).

It is now possible to route any subnet through the other side host. 

localhost:~# route add -net 10.10.10.0 netmask 255.255.255.0 dev tun0

On the remote side we need to enable ip_forward and iptables.

remoteserver:~# echo 1 > /proc/sys/net/ipv4/ip_forward 
remoteserver:~# iptables -t nat -A POSTROUTING -s 10.10.10.2 -o enp7s0 -j MASQUERADE

Boom! Layer three VPN through an SSH tunnel. Now that's winning.

Any trouble, try tcpdump and ping to see where its broken. Since we are playing at layer 3 our icmp packets should be jumping through that tunnel.

20. Bouncing through jump hosts with ssh and -J

When network segmentation means you are jumping through multiple ssh hosts to get to a final destination network or host, this jump host shortcut might be just what you need.

localhost:~$ ssh -J host1,host2,host3 user@host4.internal

A key thing to understand here is that this is not the same as ssh host1 then user@host1:~$ ssh host2, the -J jump parameter uses forwarding trickery so that the localhost is establishing the session with the next host in the chain. So our localhost is authenticating with host4 in the above example; meaning our localhost keys are used and the session from localhost to host4 is encrypted end to end.

To use this ability in the ssh_config use the ProxyJump configuration option. If you regularly have to jump through multiple hosts; use the config file and your alias to host4 will save you a lot of time.

22. Modify Port Forwarding within a session with ~C

And our final ssh example is for modifying port forwarding on the fly within an existing ssh session. Picture this example scenario. You are deep in a network;  perhaps you have jumped through half a dozen jump hosts and need a local  port on your workstation forwarded to Microsoft SMB on the old Windows  2003 system you spotted (ms08-67 anyone?).

After hitting enter try typing ~C in your terminal. This a control escape sequence within the session that allows to make changes to the existing connection.

localhost:~$ ~C 
ssh> -h
Commands:
      -L[bind_address:]port:host:hostport    Request local forward
      -R[bind_address:]port:host:hostport    Request remote forward
      -D[bind_address:]port                  Request dynamic forward                   
      -KL[bind_address:]port                 Cancel local forward       
      -KR[bind_address:]port                 Cancel remote forward       
      -KD[bind_address:]port                 Cancel dynamic forward 
ssh> -L 1445:remote-win2k3:445
Forwarding port.

You can see here we have forwarded our local port 1445 to the Windows 2003 host we found on the internal network. Now simply launch msfconsole and we are good to go (assuming you were planning on exploiting that host).