Setting up a routed tunnel with SSH
Learn how to set up a secure SSH tunnel to pivot into a network during a pentest or CTF challenge with this step-by-step guide.
Introduction
In many CTF engagements or pentests, you may encounter a scenario where you have successfully compromised a system, but are not able to access the internal network due to firewall rules or other security measures. In such cases, you can use a routed connection between the compromised system and your attack system to pivot into the network.
In this blog post, we will look at how to setup a routed connection between a compromised system and your attack system using an SSH tunnel and TUN/TAP virtual network devices.
Prerequisites
- Root access to the compromised system and your attack system.
- OpenSSH client and server installed on both systems.
- Basic understanding of network routing.
Step 1: Setup the TUN/TAP Virtual Network Devices
First, we need to setup TUN/TAP virtual network devices on both the compromised system and the attack system.
On the compromised system, run the following commands as root:
Replace <username>
with the username of the user that will be running the SSH tunnel, likely root.
On the attack system, run the following commands as root. You may need to adjust the tun number if you have existing VPN connections:
Again, replace <username>
with the username of the user that will be running the SSH tunnel.
If your attack system does not already have SSHD configured to allow tunnels you will need to enable that also. To configure PermitTunnel open /etc/ssh/sshd_config
in your favorite editor and ensure the following line is set.
I would also highly recommend making it so that the root user when connected over ssh cannot run any commands since we are using this for a tunnel only. To do this add the following to the bottom of your sshd_config file.
Once this has been configured restart the ssh daemon.
Step 2: Setup the SSH Tunnel
Next, we need to setup an SSH tunnel between the compromised system and the attack system. The tunnel will forward traffic between the TUN/TAP virtual network devices.
On the compromised system, run the following command as the user that owns the TUN/TAP virtual network device:
Replace <attacker_system_ip>
with the IP address of the attack system and if needed the tunnel numbers which are part of the -w 0:1
command where the first number is the local (compromised system) tunnel number and the second is the remote (attacker system) tunnel number.
This command will create an SSH tunnel between the compromised system and the attack system using the -w option to create a tunnel interface that forwards traffic between the TUN/TAP virtual network devices.
Step 3: Configure Network Routing
Finally, we need to configure network routing to ensure that traffic is forwarded correctly between the two systems.
On the compromised system, run the following commands as root:
Replace 172.16.22.0/28
with the network you want to access on the internal network.
On the attack system, run the following command as root:
Conclusion
In this blog post, we looked at how to setup a routed connection between a compromised system and your attack system using an SSH tunnel and TUN/TAP virtual network devices. This technique can be very useful in scenarios where you need to access resources inside a network and don't want to use a tool like Chisel. Keep in mind this is a full routed connection between the systems so it could provide access to your attack system as well. Make sure you use appropriate firewall rules and ideally run this in a dedicated virtual machine.