SSH (reverse tunnel)

Reverse SSH tunnel | Networking conceptsjarrettgxz-sec.gitbook.io

GitHub - haad/proxychains: proxychains - a tool that forces any TCP connection made by any given application to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy. Supported auth-types: "user/pass" for SOCKS4/5, "basic" for HTTP.GitHub

proxychains4(1) — proxychains4 — Debian trixie — Debian Manpagesmanpages.debian.org

Secure-SHell (SSH) can be used for pivoting around a network. Particularly, this is achieved with the reverse tunnel (-R) option provided by SSH.

$ ssh -R <listen_port> <remote_host> [-p <port>]

Given the following setup:

1. Attacker machine

• IP: 1.1.1.1/24

1. Pivot machine (compromised)

• IP: 1.1.1.2/24 and 2.2.2.2.2/24

1. Target machine

• Only accessible from the pivot machine

• IP: 2.2.2.3/24

Suppose we want to access the target machine from the attacker machine. However, the target machine is only accessible from the pivot machine on the particular interface (2.2.2.0/24). To bypass this restriction, we can use the following SSH command to convert the pivot machine to a SOCKS5 proxy:

Attacker machine@1.1.1.1

$ ssh -R 8888 1.1.1.2 -N

Now, we can access the target machine (2.2.2.3/24 network) on port 8888 from the attacker machine, as if they are on the same network. We can use proxychains to achieve this:

Attacker machine@1.1.1.1

$ cat /etc/proxychains4.conf 
...
socks5  127.0.0.1 8888

# eg. perform nmap scan through the pivot (acting as proxy)
$ proxychains4 -f /etc/proxychains4.conf nmap -sT 2.2.2.3 

Note that certain commands or options may not work as expected over the SOCKS proxy, eg. nmap -sS . Moreover, additional configurations may be required for DNS resolution to be resolved over the proxy.