I use this site for a number of reasons. One them is to keep a little diary of things that I have figured out so that I can reference them later. The problem is that those little discoveries are buried in rambling posts about why I chose to do something.
I have given 2600 talks about SSH tunnels but I really don’t have a permanent record of my various [mis]uses of SSH, so I thought I would put them all in a post for future reference. I have written about securing SSH with asymmetric encryption keys, but there are many more things that you can do with SSH.
Dynamic Ports: slip past content filters with this one weird trick
This is the go-to use for an SSH tunnel. University and corporate networks are often overseen by petty tyrants who limit access to sites of questionable content, or sites that are prone to eating bandwidth like streaming media. Ironically, most of these networks allow outbound SSH. SSH kills content filters dead.
You can create a SOCKS proxy using an SSH connection by creating a dynamic port. You can then point your browser to use your local address (127.0.0.1) as a SOCKS proxy to smuggle all of your browser traffic thru the SSH tunnel. If you want to also tunnel your DNS queries, in Firefox type “about:config” in the browser bar and then find the setting “network.proxy.socks_remote_dns” and set it to “true”. Tunneling DNS isn’t strictly necessary, but it does help you stay under the radar on a restrictive network.
On Windows, you can drop the port one of three ways:
If you are into radio buttons and text boxes, you can configure PuTTY to open one every time you connect. On the tree control to the left, click Connection -> SSH -> Tunnels. You’ll need to select dynamic and enter a source port (5555 in the picture to the right) and click ‘Add’. Your new port should appear in the list above as ‘D5555’. Be sure to go back to your session and click ‘Save’ of you want the port to be created every time you open the session. As long as you are messing with your PuTTY session, you might as well set your terminal colors to green text so you look like a real hacker.
If using the GUI makes you feel like a wimp, you can just script it with a handy batch file:
putty -D 5555 firstname.lastname@example.org
You can also feel like a real UNIX badass by copying putty.exe to c:\Windows\System32 and renaming it to ssh.exe so you can kick off your session from DOS like a real console cowboy.
OR you can dump the whole interactive shell pretense and use plink.exe to make your connection and drop your ports without the whole pesky PuTTY window getting in your way:
plink -D 5555 email@example.com
Plink is bascially PuTTY with no window. It functions basically the same in all other respects.
If you are using a Unix or Linux workstation, you can set up your dynamic port with a similar syntax:
ssh -C -D 5555 firstname.lastname@example.org
Note: the -C switch compresses traffic going thru the tunnel, theoretically increasing network speeds through the tunnel.
Local Ports: I heard u like shells so we tunneled SSH thru yo SSH so you can get a shell while you gettin a shell
You can use SSH to secure more than just your web browsing. You can use it to secure pretty much any TCP connection. I like using it to secure notoriously insecure VNC and X sessions.
Another use is to get around port restrictions. Some networks may allow outbound SSH, but only on port 22. Some home ISP’s get shitty about running servers on reserved ports like 22. This means you have to forward some bunk port on your home router, like 62222 to the SSH server on your home network. I used to do this when I had Time Warner cable, and when I worked at a corporation with a really restrictive network. To get around this problem, I would have to SSH to a public access Unix system like the Super Dimensional Fortress on port 22 and then drop a local port that forwarded to my bunk SSH port on my home firewall. When I did that with different windows that had different text colors it looked like I was on CSI: Hacker Girl back tracing the killer’s IP address.
The setup is pretty much the same as for the dynamic port, only you have to specify a destination IP and port as well. The idea is to connect to a remote host that is behind a firewall and using the SSH tunnel to make a different host inside the remote firewall accessible to your local your local network. (in the example above it was SSH but it could be RDP or any other TCP connection) forwards all traffic to the remote destination thru the tunnel. I’ll use RDP (port 3389) in the example below
To tunnel a Microsoft Remote Desktop session through SSH using the PuTTY gui, use the tree control to the left, click Connection -> SSH -> Tunnels. You’ll need to select local and enter a source port (13389 in the picture to the right), set the destination address or host+domain name and the port (192.168.1.10:3389 in the picture to the right) and click ‘Add’. 13389 will be the port on your workstation that is now connected to the RDP port on the remote network (3389). Your new port should appear in the list above as ‘L13389 192.168.1.10:3389’. Be sure to go back to your session and click ‘Save’ of you want the port to be created every time you open the session. In your RDP client, you would connect to 127.0.0.1:13389
If you are scripting this setup, use the -L switch along with your source port, destination IP/host and the destination port. Using the scenario from above, you forward local port 13389 to 192.168.1.10 port 3389 like this, where your SSH username is ‘alice’ and your home network’s dynamic DNS hostname is casa-alice.dynamic.DNS:
putty -L 13389:192.168.1.10:3389 email@example.com.DNS
And finally, the syntax is the same with plink:
plink -L 13389:192.168.1.10:3389 firstname.lastname@example.org.DNS
You can actually specify multiple local ports to remote destinations. I do this with PuTTY to get direct access to the web control page on my Proxmox cluster and to RDP to a Windows host using just the one tunnel.
Remote Ports: SSH kills firewalls dead.
In the local port scenario, you are connecting to a remote host behind a firewall and using the SSH tunnel to make a host inside the remote firewall accessible to your local your local network. You can also do the opposite, which is to connect to a remote host outside of your firewall and use the SSH tunnel to make a host inside your local firewall accessible to either the Internet or to hosts on a remote network.
You do this by dropping a port at the other end of the tunnel. On the remote host. The obvious use is to temporarily punch a hole in the local firewall to expose an internal web server to the Internet. If the remote host that you are connecting to is directly connected to the Internet, (like a hosted VM from Cloud At Cost) you can temporarily open a port on the remote server to tunnel traffic to the web server on your internal network.
A more nefarious use for a remote port would be for a leave-behind box (formerly known as a dropbox before the term became a brand name for cloud storage) to phone home from a target network. Basically you build a cheap single board PC, like a Raspberry Pi or a plug server that you physically plug into a network that you plan on hacking testing for security holes. This approach saves a ton of time reverse engineering firewalls to gain access. There are two basic approaches, load up the box with tools and drop it, or use a minimal box as a router/pivot for tools you are running outside the target network.
To do this with the PuTTY gui, it’s basically the same as setting up a local port. Use the tree control to the left, click Connection -> SSH -> Tunnels. You’ll need to select remote and enter a source port (58080 in the picture to the right), set the destination address or host+domain name and the port (192.168.1.10:80 in the picture to the right) and click ‘Add’. You also need to click the check both of the boxes next to “Local ports accept connections from other hosts” and “Remote ports do the same (SSH-2 only)”. Your new port should appear in the list above as ‘R58080:192.168.1.10:80’. Be sure to go back to your session and click ‘Save’ of you want the port to be created every time you open the session.
If you are scripting this setup, use the -R switch along with your source port, destination IP/host and the destination port. Using the scenario from above, you forward remote port 58080 on ssh.server.com to port 80 on your internal home web server with the IP 192.168.1.10 like this:
putty -R 58080:192.168.1.10:80 email@example.com
And finally, the syntax is the same with plink:
putty -R 58080:192.168.1.10:80 firstname.lastname@example.org
The only gotcha with scripting your remote port drop is that I don’t think that there is a command line switch for enabling connections from other hosts, so you have to enable the remote port sharing on the SSH server side.
Making Local and Remote Ports Accessible to other hosts
Sharing your remote and local hosts lets you set up your SSH tunnel on one host and then connect to the tunnel from a different host.
In the case of a local port, you could initiate the SSH session on your home Linux server, and then connect to that port from your Windows workstation. This is handy if you are tunneling RDP and you don’t have PuTTY available on your Windows box. Although PuTTY is super portable so it’s dead simple to smuggle it onto the most locked down of Windows machines.
In the case of the remote port, it’s pretty much mandatory for the web server or dropped box use cases. You can still script the connection, you just have to modify your sshd_config file on your SSH server. On a Debian-esque server you do this by using sudo or su to become root and then type:
You then add the GatewayPorts option. You can put it anywhere in the file, but I prefer to keep it in the first few lines of the file where entries for port configuration are.
# What ports, IPs and protocols we listen for Port 22 GatewayPorts yes
Then save the file and restart SSH:
systemctl restart ssh
Or on Debian 9, you use ‘service’ to restart SSH:
service ssh restart
I am sure that this option is a big security risk, so I recommend a cheap low powered VM to dedicated specifically to bouncing connections. I also recommend securing it with asymmetric encryption keys. If you are looking to script SSH connections that are secured with SSH keys, I recommend not setting a passphrase on your private key. You include your private key on the putty/plink commandline with the -i switch:
putty -L 13389:192.168.1.10:3389 email@example.com.DNS -i c:\path\to\your\key\key.ppk