Skip to content

Understanding SSH Tunneling and Redirection

tunneling-chacho

Introduction

In penetration testing, gaining access to internal network resources often requires advanced techniques to bypass firewalls, NAT devices, and other security measures. SSH tunneling and redirection are powerful methods that allow penetration testers to navigate these obstacles. This article will explain these concepts, their real-world applications, and provide practical examples.

What is SSH Tunneling?

SSH tunneling, also known as SSH port forwarding, is a method of creating a secure, encrypted connection between a local and a remote computer through the SSH protocol. This technique can be used to forward traffic from one network port to another, effectively bypassing firewall restrictions and network segmentation.

Scenario

Imagine you are a penetration tester who has gained initial access to a target network through a compromised external server (Target1_IP). Your goal is to reach internal resources (Target2_IP and Target3_IP) and also provide a reverse connection back to your local machine for further exploitation. To achieve this, you will use an advanced SSH command that sets up multiple tunnels and optimizes connections.

The Command

ssh -o ControlMaster=yes -o ControlPath=/tmp/conn.sock -L 22222:Target2_IP:22 -L 8888:Target3_IP:80 -R 443:127.0.0.1:1234 root@Target1_IP

1. ControlMaster and ControlPath Options

-o ControlMaster=yes -o ControlPath=/tmp/conn.sock

  • ControlMaster=yes: This option allows the creation of a master SSH connection. Subsequent SSH sessions to the same server can reuse this connection, reducing overhead and improving performance. This is particularly useful when you need multiple tunnels or connections to the same server.
  • ControlPath=/tmp/conn.sock: Specifies the path to a Unix domain socket for communication with the master connection. This path is used by additional SSH sessions to connect to the master connection.

Benefit: Reduces the time and resource cost of establishing multiple SSH sessions by reusing a single connection.

2. Local Port Forwarding to Internal Resources

-L 22222:Target2_IP:22 -L 8888:Target3_IP:80
  • -L 22222:Target2_IP:22: Forwards traffic from localhost:22222 on your machine to port 22 on Target2_IP through Target1_IP. This allows you to SSH into Target2_IP as if it were local.
  • -L 8888:Target3_IP:80: Forwards traffic from localhost:8888 on your machine to port 80 on Target3_IP through Target1_IP. This lets you access a web service running on Target3_IP.

Purpose: These local port forwardings enable you to pivot from Target1_IP to internal resources (Target2_IP and Target3_IP) that are otherwise inaccessible directly from your machine. This is crucial for further exploration and exploitation of internal network resources.

Benefit: Allows seamless access to internal network services by routing traffic through an intermediary (compromised) server, bypassing firewalls and network segmentation.

3. Remote Port Forwarding for Reverse Connection

-R 443:127.0.0.1:1234
  • -R 443:127.0.0.1:1234: Forwards traffic from port 443 on Target1_IP to localhost:1234 on your machine. This means any connection to Target1_IP:443 will be tunneled back to your local machine on port 1234.

Purpose: This remote port forwarding is useful for setting up a reverse connection from the compromised server back to your local machine. It can be used for various purposes such as setting up a reverse shell, exfiltrating data, or providing access to a service running locally.

Benefit: Enables the compromised server (and potentially other machines within the same network) to connect back to a service running on your local machine, facilitating further exploitation and control. For instance:

  • Reverse Shell: Allows you to execute commands on the compromised server from your local machine.
  • Exfiltrating Data: Securely transfer data from the compromised server to your local machine.
  • Access to Local Services: Perfect for when you need the compromised server to use tools or services that are only available on your local machine, such as a custom exploit or a specific application.

What Happens

1. Optimized Connection:

  • A master SSH connection to Target1_IP is established and can be reused for efficiency using: 
    -o ControlMaster=yes -o ControlPath=/tmp/conn.sock

2. Pivoting:

  • Local port forwarding is set up to access internal resources

    -L 22222:Target2_IP:22 -L 8888:Target3_IP:80

  • This enables you to:

    • SSH into Target2_IP via localhost:22222
    ssh -p 22222 user@localhost
    • Access a web service on Target3_IP via localhost:8888 by opening a web browser and navigating to
    http://localhost:8888

3. Reverse Connection:

  • Remote port forwarding is set up for a reverse connection: 

    -R 443:127.0.0.1:1234

  • Target1_IP (or any machine that can reach Target1_IP) can connect to your local service on port 1234 via port 443 by running: 

    ssh -p 443 user@Target1_IP

Benefits

  • Efficiency: The master connection reduces the overhead of multiple SSH sessions.
  • Accessibility: Local port forwarding allows you to reach internal network resources that are otherwise inaccessible.
  • Control: Remote port forwarding allows you to establish a connection from the target network to your local machine, enabling you to pull data or send commands, thus enhancing control over the compromised environment. This is particularly useful when specific tools or services required for further penetration testing are only available on your local machine.

Conclusion

This SSH command demonstrates the power and flexibility of SSH tunneling and redirection in penetration testing. By understanding and using these techniques, penetration testers can efficiently navigate through complex network environments, access restricted internal resources, and maintain control over compromised networks.

Quiz

If you care to quiz yourself, feel free to grab this code. It's just a simple python script that will ask you multiple choice questions to demonstrate a practical understanding on this topic.

SSH Tunneling Quiz