Hacker Insights is a series of blog posts meant to provide an understanding of the tools, mindset, methodologies, and history of attackers – from overviews to in-depth technical explanations.
In this installment of Hacker Insights, we’ll take a deep dive into one of the mechanisms hackers (and penetration testers) may use to covertly exfiltrate data or initiate remote connections to internal systems. Mitigations such as IDS and IPS, as well as deep packet inspection may make it difficult or impossible for attackers to remove sensitive data from internal systems. By “tunneling” this data through an encrypted channel, these security controls can be bypassed, and this data may be removed from the internal network without raising any alerts.
SSH, or Secure Shell, is a protocol used to provide remote access, automate processes, perform file transfers, issue remote commands, and manage network infrastructure. SSH is a protocol commonly found on a range of systems, and leveraged by a large number of organizations. The protocol functions on a client-server model, which means that one system must operate as an SSH server, waiting for a connection, while the other functions as an SSH client, connecting to the server.
SSH tunneling, also called SSH Port Forwarding, is a technique used to create an encrypted tunnel through an SSH connection. An SSH tunnel has a variety of uses such as bypassing restriction mechanisms or encrypting unencrypted traffic. For example, if restrictions were in place at a workplace to ensure employees may not browse to certain sites, an SSH tunnel could be established through an employee’s home computer to route traffic to a restricted site. Though SSH tunneling is a useful and legitimate function of the SSH protocol, it has different potential from the perspective of an attacker.
If an attacker finds themselves with a foothold on a network with none of their tools to utilize, they may do a quick check to see if they may leverage SSH. SSH tunneling is a great technique to perform lateral movement on a network by allowing an attacker to port forward traffic from their external system to a system on the internal network, through a compromised system. This allows for a variety of attacks and tools to be utilized without having to download anything to the compromised machine, as all the attack traffic will pass directly through the compromised machine and into the internal network.
Another simple use case is for an attacker to port forward traffic through the compromised system, from itself to the external attacker system. This could allow an attacker to easily access locally running services on the compromised system from the outside.
There are three types of port forwarding:
- Local port forwarding
- Remote port forwarding
- Dynamic port forwarding
Local port forwarding, denoted by the ‘-L’ flag from the `ssh` command, creates an SSH tunnel from the provided local port number, to the specified remote host:port, through the specified host.
ssh -L 1336:Google.com:80 home-computer
For example, say it was not possible to access Google from a work network, but it was possible to SSH to your home computer. The above command would allow a system to visit local port 1336 (localhost:1336) to tunnel through your home computer (home-computer) to access Google.
Remote port forwarding, denoted by the ‘-R’ flag in the `ssh` command, creates an SSH tunnel from a port on the SSH Server to a remote host:port.
ssh -R 1336:google.com:80 home-computer
For example, if you had the reverse of the previous example (your home computer cannot access Google) the above command could be utilized to allow home-computer to tunnel through the client system on its local port 1336 (localhost:1336) to access Google.
Though local and remote port forwarding may seem similar, the distinction lies with one key element: when performing a local port forward the SSH server being connected to acts as the middle-man to allow access to the remote service, whereas in a remote port forward the SSH client acts as the middle-man for the SSH server to access the remote service.
The final type of port forwarding is dynamic port forwarding. A dynamic port forward utilizes an established SOCKS proxy to allow for a local port to be forwarded to all ports of the server system.
ssh -D 1336 home-computer
For example, the above command can be executed from a restricted network to allow all traffic to be tunneled through home-computer (assuming home-computer can be accessed via SSH, and the client has configured a SOCKS proxy). While dynamic port forwarding requires more configuration and set-up, this is a truly powerful technique that can be used to forward all traffic to an attacking system, rather than forwarding port-by-port.
For more information, questions about this article, or inquiries about OCD Tech services, please contact us.
