Tips for an Information Security Analyst/Pentester career - Ep. 91 - SSH Tunneling (local port forwarding)

SSH tunneling is a very powerful and native tool that can be used to gain access to services on a remote machine that would normally be inaccessible from outside.

For example, you're SSH'ed into a remote machine but you need to access the browser on that machine in order to run Nessus scans.

All you got is a terminal, so you wouldn't normally be able to do so, but SSH allows to create a tunnel that makes all this possible.

There are three types of SSH tunnels, but here I'm going to only analyze local port forwarding that allows to redirect traffic from a specified local port to a different port.

I'll be talking about the other two types of tunnels in upcoming posts.

In our example, we're gonna be using a Metasploitable 2 instance, running locally with 192.168.1.253 IP address.

We're connected to this intentionally vulnerable machine through SSH (credentials msfadmin:msfadmin). Let's imagine we need to access the browser running on Metasploitable 2 from our local machine.

We can solve the problem creating a local SSH tunnel that binds remote port 80 to local port 1880 (ports 0-1024 require root privileges for a user to bind to them, so we can't use local port 80).

This problem is solved with the following command:
ssh -Nf -L 1880:127.0.0.1:80 msfadmin@192.168.1.253

-N: no command

-f: force background the terminal 

-L: local port

-Nf is used to prevent for an attacker from using your shell as a pivot point.

Once the tunnel is successfully established, we can access the remote browser running on remote port 80 from our local port 1880.

I normally use SSH tunneling for testing purposes, but it can very well be used for hacking.

For example, when the remote machine has no Internet connection or is locked down, you can connect through SSH to a SOCKS proxy and run all the needed attacks and tools from your local machine, without having to upload them to the target machine, running them in memory.

I'm gonna go back on this point, too, but you can easily grasp, even without adding more details, how powerful this attack method is.

Some people would rather use tools like sshuttle to do this but I'm personally big on native solutions because they work better, have fewer compatibility issues and don't leave such an unpleasant audit trail. Often times you might not need or even want to install tools on a remote machine.

For a red teaming engagement, you definitely want to avoid that, cause it'll blow up your cover, but you might even lack privileges. 

What if you're in as an ordinary user that can't run sudo due to lack of privileges?

Would you give up? No way.

A real hacker finds a way around, giving up is not an option.

SSH is maybe the most powerful protocol ever created, and a hacker worthy of this name should know how to use and abuse it in its native form, without any need for embellishments or unnecessary stuff.