SSH tunneling for forwarding, Reverse and Dynamic

Forward tunneling is to pull their resource to us

Attacker initiates
Attacker getting victim:80 on my Attacker:8080

ssh -L 8080:victim:80 kim@victim

Attacker initiates (Same method as above)

ssh -L 8080:localhost:80 kim@victim

Attacker initiates (Same method as above)
Attacker getting victim:3389 on my Attacker:3333

ssh -L 3333:desired_target:3389 kim@victim

Attacker initiates (Same method as above)

# map to localhost only
ssh -L localhost:3333:desired_target:3389 kim@RemoteServer

# map to IP only
ssh -L 192.168.32.201:3333:desired_target:3389kim@RemoteServer

# map to both
ssh -L *:3333:desired_target:3389kim@RemoteServer

Example
Map my localport:443 port to remote:3389 ports
Get their 3389 resource on my port 443

ssh root@RemoteServer
-L localhost:443:RemoteServer:3389
-L localhost:444:RemoteServer1:3389
-L 192.168.32.201:445:RemoteServer2:445
-L 192.168.32.201:1433:RemoteServer3:1433

 

Example with private-key
Map local address:X ports to remote address:X ports

ssh -i private-key root@RemoteServer
-L localhost:443:RemoteServer:3389
-L localhost:444:RemoteServer1:3389
-L 192.168.32.201:445:RemoteServer2:445
-L 192.168.32.201:1433:RemoteServer3:1433

Reverse tunneling is for sharing your resources to others

Remote host will listen on 2222, providing resource of localhost:80

ssh -R 2222:localhost:22 root@RemoteServer
ssh -R 2222:localhost:3389 root@RemoteServer

Great when the victim is behind the firewall

ssh -R 2222:OTHER_HOST:3389 root@RemoteServer

In order to bind to all interfaces on RemoteServer

ssh -R \*:8080:localhost:80 -N root@RemoteServer

You need to add below at your remote server on Internet /etc/ssh/sshd_config to enable GatewayPorts 

sudo nano /etc/ssh/sshd_config
GatewayPorts yes #Add this line at the end of the file sudo service sshd restart

Keep SSH tunnel open persistently

autossh -f -M 22222 root@RemoteHost -L 192.168.1.X:8080:RemoteHostX:80 -nNT

Flag -f (autossh: background)
Flag -M (autossh: monitoring port)
Flag -n (ssh: Redirects stdin)
Flag -N (ssh: Do not execute remote command. Just forwarding ports)
Flag -T (ssh: Disable pseudo-terminal allocation)
Flag -L (ssh: Local forwarding)

**** -nNT flags ****
Example
Only port forwarding. No allocation of ssh tty

ssh -nNT root@RemoteServer -L 192.168.1.X:8080:RemoteServer:80

SSH tunneling (dynamic)

ssh -D 8888 kim@host

How to monitor established, listening and tunneling

netstat -pnt
netstat -lpnt
netstat -lpnt | grep ssh

netstat -l (listening)
netstat -p (port)
netstat -n (numerical addresses)
netstat -t (tcp?)

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

e.g

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:4Gx123axxsxUcsD40da1ff2f3IBf9fefd6Pdsfdns3FsXdfsL4stjsfuks8dda9ZcffjDw.
Please contact your system administrator.
Add correct host key in C:\\Users\\user.xyz/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in C:\\Users\\user.xyz/.ssh/known_hosts:12
ECDSA host key for molao.kim.sg has changed and you have requested strict checking.
Host key verification failed.

If you get this error, either you remove ~/.ssh/known_hosts file or update it with below command

Remove or move old known_hosts if you only have 1 entry

su root
rm ~/.ssh/known_hosts
mv .ssh/known_hosts .ssh/known_hosts_old

Overwrite and update known_hosts (Linux)

sudo ssh-keygen -f /home/kim/.ssh/known_hosts -R x.x.x.x

Overwrite and update known host (Windows)

ssh-keygen -R x.x.x.x

Leave a Comment

Your email address will not be published. Required fields are marked *