Through SSH All Things Are Possible
Posted on August 19th, 2015
Being able to route traffic through another system can prove very useful in many situations. This blog post will demonstrate how to leverage SSH tunnels to send traffic through an SSH session. Three common use cases for SSH tunnels are:
- Sending your scanner traffic through an SSH tunnel
- Connecting to another service via an SSH tunnel
- Sending your browser traffic through an SSH tunnel
Sending your scanner traffic through an SSH tunnel
Proxychains combined with an SSH tunnel can be used to funnel traffic from server1 -> server2 and finally at your target. This can be used to leverage tools in a local Kali VM and have it bounce through a proxy server, eventually landing at the target system.
1. Create the SSH proxy tunnel:
[command] ssh -D 0.0.0.0:2000 -N -f user@server
- (-D option starts the SOCKS proxy listener)
- (0.0.0.0:2000 – localhost and start the listener on port 2000)
- (-N option does not execute a remote command – Good for just setting up a tunnel)
- (-f option sends SSH to the background)
- (user@server – remote server to create the SSH tunnel)
2. Edit the proxychains configuration file to use your SSH tunnel:
[command] sudo vi /etc/proxychains.conf
3. Add the following contents at the end of the file to configure proxychains to use the SSH tunnel:
 Enable Quiet Mode (Recommended): Uncomment (#quiet_mode) -> (quiet_mode)
 socks4 127.0.0.1 2000
4. Now you can start your command using proxychains (Example: proxychains
[command] proxychains nmap -sV -Pn -n -iL targets.txt -oA results
The example above will send all the nmap traffic through the SSH tunnel and then to the targets in the “targets.txt” file.
Connecting to another service via the SSH tunnel (VNC, RDP, etc.)
- Follow the steps described above to create an SSH tunnel.
- Invoke the remote service using proxychains. Below is an example of connecting to the RDP service of the another system through the SSH tunnel.
Sending your browser traffic through an SSH tunnel
- Follow the steps described above to create an SSH tunnel
- Configure your browser to use the SSH tunnel:
In Firefox go to Preferences > Advanced > Network > Settings and configure the SOCKS proxy to point to your SSH tunnel.