VK9 Security

SSH Port Forwarding

by | Mar 1, 2020 | Network

SSH port forwarding is a mechanism in SSH for tunneling application ports from the client machine to the server machine, or vice versa.

IT professionals use it for opening backdoors into the internal network from their home machines. If a port is blocked by a Firewall, you can use SSH to tunnel the traffic and by pass the filter. You can also use it as a form of proxy/VPN and get around restrictive, firewalled networks.

We have 2 types of SSH forwarding

  • Remote Forwarding

GatewayPorts needs to be set as (Yes)

  • Local Forwarding

AllowTcpForwarding needs to be set as (Yes)

In this example we will access HTTP using SSH port forwarding

  • Original request to http://192.168.0.7

Local Port forwarding

Local port forwarding allows you to forward traffic on a port of your local computer to the SSH server, which is forwarded to a destination service.

How to

Log in using SSH from your local machine to the remote server

  • Translate any request from 9999 port to port 80

192.168.0.7 = remote server

-L = Option for local forwarding

9999:192.168.0.7:80 = New port to use:address of the remote machine:app original port

  • ssh -L 9999:192.168.0.7:80 msfadmin@192.168.0.7

Log in normally to SSH, and, then browse, the site using the local ip address and then the new port 9999

  • http://127.0.0.1:9999

Analyzing the traffic

1. Looking at Wireshark we can see packets sent to

We can see traffic from 127.0.0.1:58668 to 127.0.0.1:9999

2. Looking at TCPdump on the target machine

  • sudo tcpdump -i eth0 port 22

The same traffic, I captured in Wireshark, was captured on the remote host. This time 192.168.0.10:54448 to 192.168.0.7:22, it means that the HTTP traffic was sent through SSH and received by the remote server via SSH.

3. Looking at the active communication on both ends we can see the SSH

  • ss -ant

Remote Server

Our host

We can see on both the communication between 192.168.0.10:54448 & 192.168.0.7:22

This can work on multiple ports

  • ssh -L 9999:192.168.0.7:80 -L 4000:192.168.0.7:445 user@192.168.0.7

Remote Port forwarding

Remote port forwarding is the opposite, the same connection needs to be made, Local host -> Remote host

  • ssh -R 7777:192.168.0.10:80 msfadmin@192.168.0.7

-R = Option for remote forwarding

Any request the client makes to port 7777 SSH will take it and translate it to port 80

How to

1. We have started a web service in our local host

  • service apache2 start
  • service apache2 status

Having the web service up & the ssh connection, on the remote server we’ll try to connect to the site using the port 7777 instead of 80

Remote machine

  • wget http://127.0.0.1:7777

Analyzing the traffic

On the local machine we captured the request

Wireshark

This time Wireshark sees traffic from 192.168.0.10:47536 to 192.168.0.10:80.

TCPdump

We see traffic from 192.168.0.7:22 to vk9.sec:54504 (DNS 192.168.0.10)

Looking to our local host established connections we see the following (192.168.0.10:54504 to 192.168.0.7:22)

  • ss -ant

Remote server