Most people have heard of VPNs as a method of
masking one’s traffic, espically with NORD and some others heavy marketing campaigns. Most people arent aware of other ways to redirect traffic from one place to another. Specically I want to highlight SSH tunneling since I always forget the syntax.
So why would someone want to do so: Two reasons priarily; Anonmity or to bypass some kind of geo-region filtering.
The first is self explanitory but the latteri snt to people in many parts of the world. Many countries have state-sponsored firewalls or web-content filters to control the information that is availible in the country.
Lets call out a very obvious first world problem: when I was in a middle eastern country recently I realized I forget to download a bunch of netflix to my tablet before I left. Because of web filters and geo filters both on Netflix’s and said countries’ ISP, I couldnt download my episodes. What I did to get around this was to connect to my VPN server and re-route my traffic to Netflix.com through my home’s network. So netflix transmitted the packets to my house and then my server at home redirected the traffic through a tunnel to my device.
But lets look at the reverse since this is a security blog and not a IT Blog. Lets say I have a exploit in the wild and im letting it propigate through malicous email attachment. I dont want my malware to reach back to me directly since I dont want to burn my IP and be put on a bunch of black lists. But regradeless my reverse handler needs to be listening on my computer at my home. So what do i do?
For my example I am going to say I live in DC, I have a comprimised host in mar-a-largo florida and a target I want to attack in California.
A VPN server could work but getting the routing rules to work be annoying at the least. If I was trying to NMAP my target in california then a VPN jump point might make sense since I want my traffic to appear like its coming from mar-a-largo instead of DC.
But what about when my phishing campaign is sucessful in California and I want my malware to appear to call back to mar-a-largo. Cue the SSH tunnels!
While many of us have used SSH I cant say that I stumbled across SSH tunnels until a few years into my infosec career.
SSH firstname.lastname@example.org -L 22222:188.8.131.52:445 -R 80:127.0.0.1:80 where my IPs are DC: 184.108.40.206 FL: 220.127.116.11 CA: 18.104.22.168
So lets break down the above command. The -L flag creates a forward tunnel. This means any packet that you shoot at your own computer will get forwarded t the jump box aka mar-a-largo. So if you nc localhost 22222 the connection will actually go to 22.214.171.124:445
Then we have the -R flag. It sets up a reverse tunnel. So any traffic that is destined to mar-a-largo (jump box) on port 50 actually gets sent to DC on port 80 through a pass through tunnel of sorts at mar-a-largo.
So one may ask? Why bother to send the packets to yourself. Why not send them directly to mar-a-largo to be forwarded to Cali. That is an acceptable solution and would still mask the orgin to those in cali but it would not encrypt the traffic over the public internet on the first hop. Its more of a best practice thing then anything else.
~we have the first half of the necessary tunnels set up, so lets set up the next half.
From the prompt on the mar-a-largo computer we are going to ssh into our box but set up tunnels directed at Cali.
SSH -L 445:126.96.36.199:445 -R 80:127.0.0.1:80 where my IPs are DC: 188.8.131.52 FL: 184.108.40.206 CA: 220.127.116.11