1 month ago
55 Views

Use SSH Local Port Forwarding to Pivot into Restricted Networks « Null Byte :: WonderHowTo

SSH is usually a powerful tool, with more uses than simply logging into a server. SSH provides X11 forwarding, port forwarding, secure file transfer, as well as more. Using SSH port forwarding on a compromised host with access to a restricted network can allow an attacker to access hosts within the restricted network, or pivot into the network. In This specific article we’ll look at one of the SSH port forwarding options, local port forwarding.

Since This specific can be somewhat confusing, I’d like to talk a little bit about the idea of port forwarding. When we think of port forwarding, we usually think of which inside the terms of a router. using a typical home internet setup, you’ll have a router which is usually connected to the WAN (Wide Area Network), the router will have an IP address assigned by the ISP (Internet Service Provider). On the different side of the router, you have your LAN (Local Area Network), hosts within the LAN are generally assigned IP addresses by the router.

In most home setups the router also acts as a firewall, allowing outbound TCP connections as well as killing inbound connections. If you want to access a service on a machine within your local network, you will have to configure the router to forward connections on which port to your machine. This specific means which the entirety of the internet would likely have access to which service on your internal (or local) network. The router will take the incoming traffic destined for your service, as well as forward which right on to your machine.

Don’t Miss: Hacker Fundamentals, a Tale of Two Standards

currently let’s expand on This specific a bit, say the network is usually a little larger. We could have a WiFi network for the public to use, another network for staff to use. All of the hosts would likely be connected to a gateway, as well as segmented by network. Like in our home example we have one WAN connection, except This specific time we have two LANs. The router keeps the traffic coming from the public network coming from accessing the staff network.

If you have administrative control of the router, you can configure which to forward traffic into the staff network. yet what if you don’t have administrative control? Maybe you have a low-level user account as well as can SSH in, yet you can’t access the admin panel, as well as you can’t modify any of the settings. which’s where SSH port forwarding comes in, we can use which to forward our traffic into a network we normally wouldn’t be able to access, thus pivoting into the network. This specific doesn’t just work on routers, This specific works on any node with SSH enabled as well as access to two or more internal networks.

Let’s look at This specific in action. In This specific scenario, we are connected to a public perimeter network (demilitarized zone, or DMZ) at a local university. Through enumeration, we have discovered which the firewall is usually running SSH with extremely weak credentials. We’re coming coming from the DMZ, as well as our target is usually the intranet. The only thing standing in our way is usually the firewall, which we can log in to via SSH, yet our captured account isn’t privileged enough to change any settings.

Image via Wikipedia

The firewall protects the intranet (university staff hosts, the target) coming from external malicious traffic, yet allows both networks access to the internet. We are unable to connect to hosts inside the LAN coming from the DMZ, as well as based on the ease of access to the firewall, I suspect the hosts on the LAN are incredibly soft. Weak credentials combined using a lot of administrators not treating their internal networks as hostile means the security on the hosts within the LAN should be next to none.

Since which’s an internal staff network, which probably contains or has access to quite a bit of confidential information. If we’re conducting a penetration test, we want to be able to put which confidential information in a report. If we’re black hats, we might be looking to exfiltrate, change, or delete which data. The question is usually how do we get access?

In order to access the internal network, we’re going to have to get tricky as well as pivot into which, since we can’t directly connect to which. This specific is usually where SSH port forwarding comes in handy.

Step 1: The Setup

In This specific situation, we have 3 machines. Our attacking machine, the firewall, as well as a host within the internal network. In a real engagement there will usually be more than one machine on the internal network, yet for learning purposes all we need is usually one machine.

My attacking machine is usually on the 192.168.1.0/24 network, which represents the DMZ network. The firewall is usually accessible as a gateway coming from the DMZ on the same network, which is usually also accessible as a gateway coming from the internal network. The internal network is usually inside the 192.168.56.0/24 range. These addresses are represented using CIDR notation.

Our network.

The goal here is usually to be able to discover as well as attack hosts within the internal network, coming from the DMZ network. Since we can’t just connect directly to a host within the internal network, we will use the DMZ firewall’s SSH service to re-route our traffic into the internal network.

Many beginners are not aware of the full feature set of SSH. Without a pivot into the internal network, an attacker would likely be totally reliant on the toolset contained on the compromised firewall. Which is usually likely extremely limited, sometimes you’ll get Nmap. If you’re lucky. An attack could be carried out in This specific manner, yet which’s much easier to work using a large toolkit like the one included in Kali Linux. Tools like Metasploit can actually make things easier.

Don’t Miss: Getting started out with Metasploit

To simulate This specific setup, I configured a virtual machine within the compromised host using a host-only adapter. This specific makes the victim non-routable by traffic on my DMZ network. If you want to try This specific at home, simply create a Linux virtual machine with SSH enabled in VirtualBox as well as configure the network adapter to host only. The host operating system will need to have SSH enabled, as well as you will need another machine to access the host operating systems SSH service.

When all the configuration is usually done we should have a setup which looks like This specific:

What happens when the attacking machine attempts to ping the guest machine?

Here we see which the attacking host cannot route to the vboxnet0 network.

We can’t route traffic to the victim machine, yet we can access the host machine via SSH, as well as which’s all we need.

Don’t Miss Hack Like a Pro: Pivot coming from a Victim System

Step 2: Gathering Information

Before I can properly pivot inside the network, which’s probably a not bad idea to have a look at what I have access to via the firewall. I open a terminal, as well as login with SSH by typing the following, replacing “victimmachine” with the IP address of the victim computer we have access to.

ssh user@victimmachine

I didn’t post the full output of ifconfig here, my machine has quite a few interfaces as well as the full output would likely be confusing. Since I set up these networks, I know the interface which we are targeting. If This specific were an actual penetration test, part of the post enumeration of hosts is usually gathering connected interfaces, just in case there is usually a pivot available there. If there are multiple connected network interfaces you should be able to pivot into any of those networks.

Step 3: Local Port Forwarding

Using our SSH connection to the firewall, which’s advised to do a bit of network recon. You will want to discover what hosts are active within the internal network. If you’re lucky, nmap will be installed on the compromised firewall, otherwise you may have to resort a manual approach. The manual approach being writing a ping sweep bash script (which will not spot machines with ping blocked). with This specific example there is usually only one machine running on the network, as well as port 80 (HTTP) is usually open.

Web applications are often an excellent attack vector. Depending on the owner of the process, a web application could return a low privilege shell, all the way up to an admin shell. Except I have limited information, I know there is usually a web server running on the host inside the internal network, I just don’t know what which is usually.

In order to learn more about This specific web application, I will configure a local port forward to the application using the following command.

ssh -L 8080:internalTarget:80 user@compromisedMachine

The -L option specifies which connections to the given TCP port on the local host are to be forwarded to the given host as well as port, on the remote side.

This specific allows us access to the internal network via the compromised firewall. In our case the internal network is usually anything behind the vboxnet0 interface. More technically, This specific command creates an SSH tunnel using your local port 8080 to connect to the internal target machine through the firewall. SSH will listen on localhost port 8080 for any connections. When which receives a connection, which will tunnel data to an SSH server. In This specific case, our compromised firewall. The compromised firewall then connects to the target server as well as port returning data back across our SSH tunnel.

When executing This specific command, you get a standard interactive SSH connection to the firewall, as well as port forwarding. If you don’t want the shell, you can change the argument in your command to “-NTL”. The “N” argument tells SSH to not execute a remote command, as well as the “T” argument tells SSH to disable pseudo-terminal allocation.

Using a simple SSH command, we have pivoted into an internal network which would likely normally not be accessible to us. This specific allows us to use our own toolkit instead of relying on the initially compromised host to have what we need.

Of course, we aren’t limited to forwarding HTTP. We can forward any port on the internal machine. Including SSH, providing we know the port of the service we are attempting to forward.

which’s as easy as changing a port number in our SSH command. Below, we forward the SSH service on the victim machine back to our local port 8080. This specific would likely allow us to brute force SSH, or try credentials for login if we have them.

ssh -L 8080:internalTarget:22 user@compromisedMachine

Local port forwarding is usually a great way to pivot into internal networks. which is usually also an excellent way to bypass network restrictions, such as a block on web traffic to Null-byte!

Some networks, for example, may be locked down to only allow traffic to exit via a few limited ports. As an added bonus, all traffic we generate coming from the local host to SSH server is usually encrypted! inside the next article, we’ll be looking at remote port forwarding. which’s similar to what we’re doing with local port forwarding, yet as always with traffic redirection, which’s a brain twister!

As always, questions or comments you can reach me on twitter! -@0xBarrow

Cover image via Barrow / Null Byte

Leave a Comment

Your email address will not be published. Required fields are marked *

9 − 8 =