Privilege Escalation: SSH Tunneling

SSH Tunneling:

SSH Tunneling is a complicated but useful skill for a Red Teamer. This can be split into 3 types of tunneling. Reverse SSH Tunnel, Remote Port Forward SSH Tunnel and Dynamic SSH Tunnel.

Reverse SSH Tunneling is the ability to connect to a remote host and make a link between the remote hosts port of choice to a local port on the attacking machine.

For example, if the target machine has an internal web server that sit on port 5600 that can only be accessed internally and we want to run a known exploit on this port we must in normal situations push the exploit up to the host and exploit it from there. With Reverse SSH Tunneling we can make a connect to that internal only port and hook it to an internal port on our local attacker machine.

The command to perform a  Reverse SSH Tunnel is below. 
Victim IP: 192.168.1.22
Victim internal Port: 5600
Attacker Port to map: 4444

ssh -L 4444:192.168.1.22:5600 root@192.168.1.22

After executing this command if we open a web browser to http://localhost:4444/ we will now see that the internal port on the victim machine is locally available to us!

 

The Remote Port Forward SSH Tunnel allows the attacker to make the the connection in the standard direction. Lets say we want to make port 80 on our local attacker machine available to anyone who connects to the victim machine on port 4444. This is where we would do that.

The command to perform Remote Port Forward SSH Tunnel
Victim IP: 192.168.1.22
Victim Remote Forward Port: 4444
Attacker Forwarded Port: 80

ssh -R 4444:localhost:80 root@192.168.1.22

Now if we go to the victim machine and curl its localhost on port 4444 we will see the contents of our attacking machines port 80 web server.

 

The final type of SSH Tunnel is the Dynamic SSH Tunnel. This is used when we simply want traffic to pass through the remote host directly. For example, if we want to perform nmap scans or attacking another machine on a duel homed machine we could use this if we had  valid ssh credentials on a comprimised machine. If we dont you can always make an account! This type of tunnel will create a SOCKS Proxy.

The command to perform Dynamic SSH Tunnel
Victim IP: 192.168.1.22
Attacker Port to use: 4444

ssh -D 4444 root@192.168.1.22

 

After starting this tunnel we can use nmap with a proxy option to port scan another network.