Forward tunneling is to pull their resource to us
Attacker initiates
Attacker getting victim:80 on my Attacker:8080
ssh -L 8080:victim:80 kim@victim
Attacker initiates (Same method as above)
ssh -L 8080:localhost:80 kim@victim
Attacker initiates (Same method as above)
Attacker getting victim:3389 on my Attacker:3333
ssh -L 3333:desired_target:3389 kim@victim
Attacker initiates (Same method as above)
# map to localhost only
ssh -L localhost:3333:desired_target:3389 kim@RemoteServer
# map to IP only
ssh -L 192.168.32.201:3333:desired_target:3389kim@RemoteServer
# map to both
ssh -L *:3333:desired_target:3389kim@RemoteServer
Example
Map my localport:443 port to remote:3389 ports
Get their 3389 resource on my port 443
ssh root@RemoteServer -L localhost:443:RemoteServer:3389 -L localhost:444:RemoteServer1:3389 -L 192.168.32.201:445:RemoteServer2:445 -L 192.168.32.201:1433:RemoteServer3:1433
Example with private-key
Map local address:X ports to remote address:X ports
ssh -i private-key root@RemoteServer -L localhost:443:RemoteServer:3389 -L localhost:444:RemoteServer1:3389 -L 192.168.32.201:445:RemoteServer2:445 -L 192.168.32.201:1433:RemoteServer3:1433
Reverse tunneling is for sharing your resources to others
Remote host will listen on 2222, providing resource of localhost:80
ssh -R 2222:localhost:22 root@RemoteServer
ssh -R 2222:localhost:3389 root@RemoteServer
Great when the victim is behind the firewall
ssh -R 2222:OTHER_HOST:3389 root@RemoteServer
In order to bind to all interfaces on RemoteServer
ssh -R \*:8080:localhost:80 -N root@RemoteServer
You need to add below at your remote server on Internet /etc/ssh/sshd_config
to enable GatewayPorts
sudo nano /etc/ssh/sshd_config
GatewayPorts yes
#Add this line at the end of the file sudo service sshd restart
Keep SSH tunnel open persistently
autossh -f -M 22222 root@RemoteHost -L 192.168.1.X:8080:RemoteHostX:80 -nNT
Flag -f (autossh: background)
Flag -M (autossh: monitoring port)
Flag -n (ssh: Redirects stdin)
Flag -N (ssh: Do not execute remote command. Just forwarding ports)
Flag -T (ssh: Disable pseudo-terminal allocation)
Flag -L (ssh: Local forwarding)
**** -nNT
flags ****
Example
Only port forwarding. No allocation of ssh tty
ssh -nNT
root@RemoteServer -L 192.168.1.X:8080:RemoteServer:80
SSH tunneling (dynamic)
ssh -D 8888 kim@host
How to monitor established, listening and tunneling
netstat -pnt netstat -lpnt netstat -lpnt | grep ssh
netstat -l (listening)
netstat -p (port)
netstat -n (numerical addresses)
netstat -t (tcp?)
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
e.g
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:4Gx123axxsxUcsD40da1ff2f3IBf9fefd6Pdsfdns3FsXdfsL4stjsfuks8dda9ZcffjDw.
Please contact your system administrator.
Add correct host key in C:\\Users\\user.xyz/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in C:\\Users\\user.xyz/.ssh/known_hosts:12
ECDSA host key for molao.kim.sg has changed and you have requested strict checking.
Host key verification failed.
If you get this error, either you remove ~/.ssh/known_hosts file or update it with below command
Remove or move old known_hosts if you only have 1 entry
su root rm ~/.ssh/known_hosts mv .ssh/known_hosts .ssh/known_hosts_old
Overwrite and update known_hosts (Linux)
sudo ssh-keygen -f /home/kim/.ssh/known_hosts -R x.x.x.x
Overwrite and update known host (Windows)
ssh-keygen -R x.x.x.x