- When you hacked a server or there's a valid server which only provides SSH service and you also wanna proxy your connections through the SSH tunnel, a great way is to use SSH Port Forwarding (Tunneling).
- Reference: https://calomel.org/firefox_ssh_proxy.html
- Reference: http://www.symantec.com/connect/articles/ssh-port-forwarding
- Reference: http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033
- The PermitTunnel option should be uncommented and set "Yes" in the SSH server configuration (/etc/ssh/sshd_config).
- [Comment] Launch ssh to the server with -D flag
- sp@simple-plan:~ ssh user@hacked_server -p hacked_server_port -D application_port
sp@simple-plan:~ ssh email@example.com -p 22 -D 8080
- [Comment] Check your ssh client listening on the port specified
- sp@simple-plan:~ sudo netstat -tulnp | grep application_port
sp@simple-plan:~ sudo netstat -tulnp | grep 8080
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 4046/ssh
tcp 0 0 ::1:8080 ::::* LISTEN 4046/ssh
- [Comment] You can now configure applications (e.g., Firefox) that support SOCKS4/5 proxies to use your workstation (localhost or 127.0.0.1) and TCP port 8080 for connections. The hacked server will effectively be a SOCKS proxy accessible to your local system.
- [Example] Firefox settings
- [Comment] You may try the site "www.whatismyip.com" to verify the ip address.
- [Comment] You can be more specific with SSH tunneling by forwarding connections to a certain local port to a specific IP and port combination.
- sp@simple-plan:~ ssh user@hacked_server -p hacked_server_port
sp@simple-plan:~ ssh firstname.lastname@example.org -p 22 -L 8080:www.target.com:80
- [Comment] Now you can make connections to your localhost on TCP port 8080 and they will be proxied through your SSH server to the IP address for www.target.com on TCP port 80.
- [Comment] You could add more options in the command line to utilize the SSH tunneling more effectively.
- -f : Requests ssh to go to background just before command execution.
- -n : Redirects stdin from /dev/null (actually, prevents reading from stdin). This must be used when ssh is run in the background.
- -N : Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).
- -C : Requests compression of all data.
- -q : Quiet mode. Causes most warning and diagnostic messages to be suppressed.