Tunnel traffic through SSH connection

A lot of times you may be able to get SSH access to a host at target’s network perimeter and want to scan their internal environments. It is possible to use the magic of SSH to tunnel your traffic through the connection with the compromised host.

Assumptions:
1. You cannot get your scanning tool installed or transferred to the compromised host.
2. You can directly ssh into the compromised host via credentials or SSH keys.

Step 1:
Configure dynamic port forwarding with ssh tunnel to compromised host with the -D switch

ssh -i id_rsa -D 1080 user@compromised.host

Verify you have an interface listening at above configured port

netstat -antp | grep 1080

Step 2:
Configure proxychains (/etc/proxychains4.conf)
Un-comment this line

localnet 127.0.0.0/255.0.0.0

Add this line to end of file (port number should be as setup with ssh tunnel)

socks5 127.0.0.1 1080

Step 3:
Run your scans through the tunnel

proxychains nmap -iL internaltargets.file -A -oN output.nmap

You can also separately setup your browser or other tools to send traffic through the tunnel.

Additionally, you can also use a tools such as sshuttle to route your traffic through an ssh connection

sshuttle -v -e "ssh -i id_rsa" -r root@compromised.host 172.16.109.0/24 <-- (internal LAN segment)

Leave a Reply

Your email address will not be published. Required fields are marked *