What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.


Using SSH tunnels to proxy connections


  • The PermitTunnel option should be uncommented and set "Yes" in the SSH server configuration (/etc/ssh/sshd_config).
  1. [Comment] Launch ssh to the server with -D flag
  2. sp@simple-plan:ssh user@hacked_server -p hacked_server_port -D application_port
  3. [Example]
    sp@simple-plan:ssh sp@www.example.com -p 22 -D 8080
  4. [Comment] Check your ssh client  listening on the port specified
  5. sp@simple-plan:sudo netstat -tulnp | grep application_port
  6. [Example]
    sp@simple-plan:sudo netstat -tulnp | grep 8080
    tcp        0        0*        LISTEN        4046/ssh
    tcp        0        0    ::1:8080              ::::*            LISTEN        4046/ssh
  7. [Comment] You can now configure applications (e.g., Firefox) that support SOCKS4/5 proxies to use your workstation (localhost or and TCP port 8080 for connections. The hacked server will effectively be a SOCKS proxy accessible to your local system.
  8. [Example] Firefox settings
  9. [Comment] You may try the site "www.whatismyip.com" to verify the ip address.

  1. [Comment] You can be more specific with SSH tunneling by forwarding connections to a certain local port to a specific IP and port combination. 
  2. sp@simple-plan:ssh user@hacked_server -p hacked_server_port
    -L application_port:target_server:target_server_port
  3. [Example]
    sp@simple-plan:ssh sp@www.example.com -p 22 -L 8080:www.target.com:80
  4. [Comment] Now you can make connections to your localhost on TCP port 8080 and they will be proxied through your SSH server to the IP address for www.target.com on TCP port 80.

  1. [Comment] You could add more options in the command line to utilize the SSH tunneling more effectively.
  2. -f : Requests ssh to go to background just before command execution.
  3. -n : Redirects stdin from /dev/null (actually, prevents reading from stdin).  This must be used when ssh is run in the background.
  4. -N : Do not execute a remote command.  This is useful for just forwarding ports (protocol version 2 only).
  5. -C : Requests compression of all data.
  6. -q : Quiet mode.  Causes most warning and diagnostic messages to be suppressed.

No comments:

Post a Comment