Having access to the machines in an organization is fundamental, but in many occasions it is not always as simple as opening an RDP or SSH session and that’s it. Depending on the architecture, filtering, security measures and so on, this may not be so simple. In fact, jumphosts, stepping stones or bastion boxes are more widespread than it might seem at first glance.

In this entry we will see some of the options that SSH offers us to make connections of this type, with port redirections, reverse tunnels, etc…

Port forwarding (tunneling)

SSH is a remote connection and management protocol with native and embedded cryptographic measures. It runs by default on port 22/TCP and allows console connections to remote machines. In addition, port forwarding, tunneling or port-forwarding is a technique that establishes a remote connection between two machines (via SSH) and is able to transparently and securely present a remote network port (socket) to another. For example to protect traffic that by default uses plaintext or insecure protocols.

There are several types:

  • Local forwarding. Allows access to a remote computer from the local computer.
  • Remote forwarding. Allows access from a remote computer to a local computer.
  • Dynamic forwarding. Creates a SOCKS proxy so that programs configured to use it will initiate their connections from the remote machine.

Local forwarding

ssh -L <puerto local>:host remoto:<puerto remoto> <host local>

In this case, for example, we could connect locally to our port 8080 with a browser, and get access to this blog.

ssh -L 8080:blog.networkbits.es:80 localhost

Remote forwarding

ssh -R <puerto remoto>:<host local>:<puerto local> <user>@<host remoto>

In this case, port 22 of our local computer could be accessed from the remote computer if port 22022 is accessed from the remote computer.

ssh -R 22022:localhost:22 i686@remotehost

Dynamic forwarding

ssh -D <puerto local> <user>@<host remoto>

In this case, listening is initiated on port 1080, which is dynamically addressed to the remote computer.

ssh -D 1080 i686@remotehost

If you configure for example a browser to use the SOCKS proxy on the local computer on port 1080, all your connections will be as if they were initiated from the remote computer.

Conclusions

These types of techniques have the disadvantage that they can leave open backdoors to malicious actors or malware that would roam freely through all of them, catastrophically increasing the surface of exposure and impact. They can also be used as covert channels for information exfiltration.

On the other hand, they can (and in fact are) used to evade firewall systems and overcome obstacles such as NAT in networks that implement it, by creating remote reverse shells.