SSH can be a powerful tool with more uses than simply logging into a server. This particular protocol, which stands for Secure Shell, provides X11 forwarding, port forwarding, secure file transfer, as well as more. Using SSH port forwarding on a compromised host with access to a restricted network can allow an attacker to access hosts within the restricted network or pivot into the network.
In This particular article, we’ll look at one of the SSH port forwarding options, local port forwarding. Since This particular can be somewhat confusing, I’d like to talk a little bit about the idea of port forwarding first.
Why Port Forwarding can be Important
When we think of port forwarding, we usually think of This particular from the terms of a router. that has a typical home internet setup, the router can be connected to the WAN (wide area network), as well as This particular will have an IP address assigned by the ISP (internet service provider). On the some other side of the router, you have your LAN (local area network). Hosts within the LAN are generally assigned IP addresses by the router.
In most home setups, the router also acts as a firewall, allowing outbound TCP connections as well as killing inbound connections. If you want to access a service on a machine within your local network, you will have to configure the router to forward connections on which port to your machine. This particular means which the entirety of the internet could have access to which service on your internal (or local) network. The router will take the incoming traffic destined for your service as well as forward This particular right on to your machine.
Don’t Miss: Hacker Fundamentals, a Tale of Two Standards
currently, let’s expand on This particular a bit. Let’s say the network can be a little larger. We could have a Wi-Fi network for the public to use as well as another network for staff to use. All of the hosts could be connected to a gateway as well as segmented by the network. Like in our home example, we have one WAN connection, except This particular time we have two LANs. The router keeps the traffic through the public network through accessing the staff network.
When SSH Port Forwarding Comes in Handy
If you have administrative control of the router, you can configure This particular to forward traffic into the staff network. although what if you don’t have administrative control? Maybe you have a low-level user account as well as can SSH in, although you can’t access the admin panel as well as you can’t modify any of the settings.
This particular can be where SSH port forwarding comes in; we can use This particular to forward our traffic into a network we normally wouldn’t be able to access, thus pivoting into the network. This particular doesn’t just work on routers, This particular works on any node with SSH enabled as well as access to two or more internal networks.
In one scenario, we are connected to a public perimeter network (demilitarized zone, or DMZ) at a local university. Through enumeration, we have discovered which the firewall can be running SSH with extremely weak credentials. We’re coming through the DMZ, as well as our target can be the intranet. The only thing standing in our way can be the firewall, which we can log in to via SSH, although our captured account isn’t privileged enough to change any settings.
The firewall protects the intranet (university staff hosts, the target) through external malicious traffic, although allows both networks access to the internet. We are unable to connect to hosts from the LAN through the DMZ, as well as based on the ease of access to the firewall, I suspect the hosts on the LAN are incredibly soft. Weak credentials combined that has a lot of administrators not treating their internal networks as hostile means the security on the hosts within the LAN should be next to none.
Since This particular’s an internal staff network, This particular probably contains or has access to quite a bit of confidential information. If we’re conducting a penetration test as a white hat, we want to be able to put which confidential information in a report. If we’re black or gray hats, we might be looking to exfiltrate, change, or delete which data. The question can be how do we get access?
In order to access the internal network, we’re going to have to get tricky as well as pivot into This particular, since we can’t directly connect to This particular. This particular can be where SSH port forwarding comes in handy.
Step 1: The Setup
In This particular situation, we have three machines — our attacking machine, the firewall, as well as a host within the internal network. In a real engagement, there will usually be more than one machine on the internal network, although for learning purposes, all we need can be one machine.
My attacking machine can be on the 192.168.1.0/24 network, which represents the DMZ network. The firewall can be accessible as a gateway through the DMZ on the same network. This particular can be also accessible as a gateway through the internal network, which can be from the 192.168.56.0/24 range. These addresses are represented using CIDR notation.
The goal here can be to be able to discover as well as attack hosts within the internal network through the DMZ network. Since we can’t just connect directly to a host within the internal network, we will use the DMZ firewall’s SSH service to reroute our traffic into the internal network.
Many beginners are not aware of the full feature set of SSH. Without a pivot into the internal network, an attacker could be totally reliant on the toolset contained on the compromised firewall. Which can be likely extremely limited. Sometimes you’ll get Nmap if you’re lucky. An attack could be carried out in This particular manner, although This particular’s much easier to work that has a large toolkit like the one included in Kali Linux. Tools like Metasploit can truly make things easier.
Don’t Miss: Getting started out with Metasploit
To simulate This particular setup, I configured a virtual machine within the compromised host that has a host-only adapter. This particular makes the victim non-routable by traffic on my DMZ network. If you want to try This particular at home, simply create a Linux virtual machine with SSH enabled in VirtualBox as well as configure the network adapter to host only. The host operating system will need to have SSH enabled, as well as you will need another machine to access the host operating systems SSH service.
When all the configuration can be done, we should have a setup which looks like This particular:
What happens when the attacking machine attempts to ping the guest machine? We can’t route traffic to the victim machine, although we can access the host machine via SSH, as well as which’s all we need.
Step 2: Gathering Information
Before I can properly pivot from the network, This particular’s probably a not bad idea to have a look at what I have access to via the firewall. I open a terminal as well as login with SSH by typing the following, replacing victimmachine with the IP address of the victim computer we have access to.
I didn’t post the full output of the ifconfig here since my machine has quite a few interfaces as well as the full output could be confusing. Since I set up these networks, I know the interface which we are targeting. If This particular were an actual penetration test, part of the post-enumeration of hosts can be gathering connected interfaces, just in case there can be a pivot available there. If there are multiple connected network interfaces, you should be able to pivot into any of those networks.
Using our SSH connection to the firewall, This particular’s advised to do a bit of network recon. You will want to discover what hosts are active within the internal network. If you’re lucky, Nmap will be installed on the compromised firewall, otherwise, you may have to resort a manual approach. The manual approach could be writing a ping sweep bash script (which will not spot machines with ping blocked). just for This particular example, there can be only one machine running on the network, as well as port 80 (HTTP) can be open.
Web applications are often an excellent attack vector. Depending on the owner of the process, a web application could return a low privilege shell all the way up to an admin shell. Except I have limited information. I know there can be a web server running on the host from the internal network, I just don’t know what This particular can be.
In order to learn more about This particular web application, I will configure a local port forward to the application using the following command.
ssh -L 8080:internalTarget:80 user@compromisedMachine
The -L option specifies which connections to the given TCP port on the local host are to be forwarded to the given host as well as port on the remote side. This particular allows us access to the internal network via the compromised firewall.
In our case. the internal network can be anything behind the vboxnet0 interface. More technically, This particular command creates an SSH tunnel using your local port 8080 to connect to the internal target machine through the firewall. SSH will listen on localhost port 8080 for any connections. When This particular receives a connection, This particular will tunnel data to an SSH server, in This particular case, our compromised firewall. The compromised firewall then connects to the target server as well as port returning data back across our SSH tunnel.
When executing This particular command, you get a standard interactive SSH connection to the firewall, as well as port forwarding. If you don’t want the shell, you can change the argument in your command to -NTL. The N argument tells SSH to not execute a remote command, as well as the T argument tells SSH to disable pseudo-terminal allocation.
Using a simple SSH command, we have pivoted into an internal network which could normally not be accessible to us. This particular allows us to use our own toolkit instead of relying on the initially compromised host to have what we need.
Of course, we aren’t limited to forwarding HTTP. We can forward any port on the internal machine, including SSH, providing we know the port of the service we are attempting to forward.
This particular’s as easy as changing a port number in our SSH command. Below, we forward the SSH service on the victim machine back to our local port 8080. This particular could allow us to brute force SSH or try credentials for login if we have them.
ssh -L 8080:internalTarget:22 user@compromisedMachine
Local port forwarding can be a great way to pivot into internal networks. This particular can be also an excellent way to bypass network restrictions, such as a block on web traffic to Null Byte! Some networks, for example, may be locked down to only allow traffic to exit via a few limited ports. As an added bonus, all traffic we generate through the local host to SSH server can be encrypted.
from the next article, we’ll be looking at remote port forwarding. This particular’s similar to what we’re doing with local port forwarding, although as always with traffic redirection, This particular’s a brain twister. So make sure to keep an eye out for which guide from the future.
As always, questions or comments you can reach me on Twitter @0xBarrow.