Sunday, October 15, 2017

SSH Tunneling (I): LOCAL port forwarding


- Layout for this exercise:

1 - Introduction

- A Secure Shell (SSH) tunnel consists of an encrypted tunnel created through an SSH protocol connection. 

- Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel. 

- To set up a local SSH tunnel, one configures an SSH client to forward a specified local port to a port on the remote machine. 

- Once the SSH tunnel has been established, the user can connect to the specified local port to access the network service. The local port does not have to be the same as the remote port.

- SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services so long as a site allows outgoing connections.

- In this exercise we are using 3 Linux machines:

a) Kali Linux

b) Ubuntu Linux

c) CentOS Linux

- From Kali let's check that Ubuntu is running an SSH service:

- From Kali let's check that CentOS is running an HTTP service:

2 - SSH Tunneling with LOCAL port forwarding

- Now, from Kali we establish a SSH tunnel from local port 8080 to the remote port 80 at CentOS ( tunneling through the Ubuntu ( device. 

- The SSH tunnel connection is successful, as we can check once the Ubuntu's shell is achieved:

- Parameters used in previous command:

ssh                                       <- protocol -p 22              <- SSH server running on port 22
-L 8088                                <- local port at Kali                  <- HTTP server running on remote port 80

- Finally from Kali, browsing there is access to the remote web server at CentOS, so the final connection is also successful:

3 - Analyzing connections and corresponding ports with netstat

- It is important to notice that Kali only sees the SSH connection, not the HTTP one, regardless it is actually accessing the web server at CentOS. Using netstat:

- About Ubuntu it is also aware only of the SSH connection with Kali:

- Interestingly, the web server CentOS only recognizes an HTTP connection with Ubuntu ( not with Kali), and is totally unaware of the SSH tunnel from Kali, as the web access_log shows:

- The explanation of these results is that the local port 8080 at Kali redirects the traffic (encrypted with SSH cryptographic protocols) through the outbound SSH tunnel on port 22 to the remote web server.