ssh tunneling

What is SSH tunneling?

SSH tunneling (also referred to as SSH port forwarding) is simply routing local network traffic through SSH to remote hosts. This implies that all your connections are secured using encryption. It provides an easy way of setting up a basic VPN (Virtual Private Network), useful for connecting to private networks over unsecure public networks like the Internet.

You may also be used to expose local servers behind NATs and firewalls to the Internet over secure tunnels, as implemented in ngrok.

SSH sessions permit tunneling network connections by default and there are three types of SSH port forwarding: local, remote and dynamic port forwarding.

How to use SSH tunneling

Remote port forwarding allows you to connect from your remote machine to the local computer. By default, SSH does not permit remote port forwarding. You can enable this using the GatewayPorts directive in you SSHD main configuration file /etc/ssh/sshd_config on the remote host.

Open the file for editing using your favorite command line editor.

$ sudo vi /etc/ssh/sshd_config

Look for the required directive, uncomment it and set its value to yes, as shown in the screenshot.

GatewayPorts yes

Save the changes and exit. Next, you need to restart sshd to apply the recent change you made.

$ sudo systemctl restart sshd
OR
$ sudo service sshd restart

Doing the real work

lets say for example, we have 2 machines

Machine A (Native machine with MacOS) Machine B (Virtual machine with Kali Linux (and the ssh service))

Local port forwarding *

Local port forwarding allows you to forward traffic on a port of your local computer (A) to the SSH server (B), which is forwarded to a destination server (all other computers that can reach computer A).

in short service vm --> native pc, access on native pc :

Your local computer will hold the content of a specific service of your ssh server, bound by port (also public services are possible). For example, an webserver on your sshserver:80 can be forwarded to currentComputer:1-65535

# syntax 
ssh -L <CURRENTHOSTPORT(1-65535)>:<SSHSERVER>:<SSHSERVERPORT> <SSHUSER@REMOTEHOST>

##### step 1 - Machine B (VM)
# setup a service, in this case i will start a simple webserver on port 100 :
root@Corrosie:~/Documents/hacking/assets/tools/recon/autoRecon/results/10.10.10.14/scans# python3 -m http.server 100
Serving HTTP on 0.0.0.0 port 100 (http://0.0.0.0:100/) ...

##### step 2 - Machine A (Native) 
# any request (can be from any host) that is recieved on the native machine, port 3000 will be redirected
# to the ssh server, port 100, which is running a webserver
ssh -L 3000:127.0.0.1:100 predator@192.168.0.132 # this method will also login on the ssh server
ssh -f -N predator@192.168.0.132 -L 3000:127.0.0.1:100 # this method will not login on the ssh server - quiet

##### examples
# forward the content of demo.testfire.net:80 to localhost:5000 
ssh -L 5000:demo.testfire.net:80 predator@192.168.0.132
# forward the content of demo.testfire.net:80 to localhost:5000 (quiet)
ssh -f -N predator@192.168.0.132 -L 5000:demo.testfire.net:80

##### LOCAL FORWARDING : 
#-#-# ! content of your SSH SERVER will be forwarded to your LOCALHOST (content vm --> native pc) ! #-#-#
# note : often 127.0.0.1 or localhost will only work, private IP addresses (like 192.168.0.5) won't always work.

Remote port forwarding

Remote port forwarding is the exact opposite of local port forwarding. It forwards traffic coming to a port on your server (A) to your local computer (B), and then it is sent to a destination (all other computers that can reach computer A)

in short service native pc --> vm, access on vm

Your ssh server will hold the content of a specific service of your local computer (also public services are possible), bound by port. For example, an webserver on your currentComputer:80 can be forwarded to sshServer:1-65535

##### step 1 - Machine A (Native)
# setup a service, in this case i will start a simple webserver on port 80 :
MacBook-Pro-van-Michel:~ michel$ sudo apachectl start
Password:
/System/Library/LaunchDaemons/org.apache.httpd.plist: service already loaded

##### step 2 - Machine A (Native) 
# every request that is made to sshserver:5000 will hold the content of nativeMachine:80, which is holding
# a webserver in this case
ssh -R 5000:127.0.0.1:80 predator@192.168.0.132 # this method will also login on the ssh server
ssh -f -N predator@192.168.0.132 -R 5000:127.0.0.1:80 # this method will not login on the ssh server - quiet

# syntax 
ssh -R <SSHSERVERPORT(1-65535)>:<SERVER>:<SSHSERVERPORT> <SSHUSER@REMOTEHOST>
##### LOCAL FORWARDING : Content of the ssh server will be forwarded to your localhost (content vm --> native pc)
# note : often 127.0.0.1 or localhost will only work

##### examples #####

# forward the content of demo.testfire.net:80 to 192.168.0.132:5000, access on 192.168.0.132:5000
ssh -R 5000:demo.testfire.net:80 predator@192.168.0.132
# forward the content of demo.testfire.net:80 to 192.168.0.132:5000 (quiet)
ssh -f -N predator@192.168.0.132 -R 5000:demo.testfire.net:80

##### REMOTE FORWARDING : 
#-#-# ! Content of the NATIVE PC will be forwarded to your SSH SERVER (content native pc --> ssh server) ! #-#-#

Reference

PreviousscpNexttips and tricks

Last updated