0x00 - Summary

We have all experienced the mild frustration that settles in when we have been denied access to a website or application. With a heavy sigh and groan, we watch as our favorite online retailer was blocked due to "Alcohol & Tobacco" or something of that nature. While firewalls are continuosly monitoring and blocking traffic on a network, we can use tunneling techniques to evade detection and sneak traffic through our SSH tunnels.

It should be noted that tunneling can be mitigated when firewalls have SSL Inspection features enabled. However, this is not commonly configured within networks.

Here is a brief list of things that we can do with SSH tunnels:

  • Bypass firewalls that are blocking specific websites, ports or services.
  • Access internal servers while remote, without exposing services on the router.
  • Create a backdoor for yourself in SSH.
  • Push your browser traffic through TOR.

Requirements

You will need an SSH server. If you are on Windows and don't have access to a Linux VM, consider following along in WSL. Additionally, the tools listed below are optional but definitely worth having in your aresenal.

  • FoxyProxy - This is a popular browser extention which is great for changing your proxy configuration on the fly!

  • ProxyChains - This is a linux tool that can be configured to push traffic through a chain of proxies. Prepends whatever command you are running, e.g. proxychains curl ipchicken.com or proxychains discord

  • TOR Server - A local tor service to push your traffic through


0x01 SOCKS5 - Dynamic Ports

All you need is an SSH server that you can reach from the internet. You could port forward from your router to your SSH server at home or rent a VPS for about $5/mo. SSH servers are secure, fairly easy to configure, light weight and most importantly, very convenient!

SOCKS5 is a network protocol that allows you to send your traffic to a middle server (the acting proxy), before reaching its intended destination. SOCKS5 offers authentication and will also handle your DNS request. If you would like more information regarding SOCKS5 or its predecessor protocols, there are plenty of articles available on the internet that go into great detail.

Here is the command: ssh -N -C -D 4444 n28@michiana-infosec.com

  • -N - This hides terminal output and prevents sending commands to the server. Perfect for when you just want to forward traffic.

  • -C - Compresses your data which saves bandwidth and in most cases, lightly increases speed.

  • -D - Sets up your dynamic port. This is the socket that you open on your local machine. You then direct your browser / traffic to this local port.

  • n28 - This will be whatever username you will be using to connect to the remote server.

  • michiana-infosec.com - The IP address or domain name for the remote server where your traffic will go to.

Brief Breakdown:

  1. Create a secure socks5 connection to your remote server on whatever port you have chosen. We have choosen port 4444 in our example above.
  2. Configure your browser's network proxy settings (or foxyproxy) to use the SOCKS5 proxy by specifying your localhost (or 127.0.0.1) and local port (4444).
  3. Check your IP and verify that you're browsing through your tunnel!

Flowchart Example

Diagram 1

GIF Example (Open Gifs in new tab for fullscreen)

03-socks5-tunnel


0x02 SOCKS5 - Local Tor Service

Tor must be installed on your machine for this to work. If you are on a Debian distro of Linux, the command is simple:

sudo apt install tor

Once Tor has been installed, we can check that the service is running on local port 9050. Here are a few ways to check.

  1. In your browser, go to localhost:9050 where you should see a SOCKS5.
  2. sudo service tor status should display the service in debian distros
  3. nc -vv localhost 9050 followed by GET / to return the index page (HTTP proxy error).

If we have the Tor service running on our machine we could easily pump our traffic to it in a similar fashion as we did with our SOCKS5 proxy. This is because Tor is conveniently running a SOCKS5 proxy for you to interact with. How do we know that? Well if we browse to http://localhost:9050/ we will receive the error below.

03-Tor-Error

So here are two ways we could configure our browsers.

Configuring Foxyproxy will look similar to this:
04-Tor-FoxyProxy

Configuring your browser will look similar to this:
05-Tor-Browser

When asked, make sure you click the checkbox that allows DNS through the SOCKS5 proxy. Otherwise, your DNS webrequest will still be proccessed and monitored within your primary network.

Once It's all be configured, check your public IP. You should be browsing through the TOR network!


0x03 Tor - But Remote!

So Tor is cool and all, but what if Tor is being blocked at your current location? That would be a more likely scenario, wouldn't it? After all, if you wanted a way to quickly browse through a Tor proxy without having to configure it, you could just use something like Brave web browser.

Let us imagine a scenario where you do not have administrative privileges on your machine. Installing Tor on your device is not a possibility, and even if you could, all of the Tor traffic is monitored and blocked by the firewall... then what do you do?

Welcome to the magic of local port forwarding!

Local Port Forwarding is a common ways to build tunnels in SSH and it's a great way to evade firewalls. In short, we can take a service / port from a remote location, and make it accessible on our machine through a specified local port. For example, let's say we are working from our office at work. On our PC at home, we have a Tor service running. We can use Local Port Forwarding and connect to our PC at home and build a tunnel to our Tor service so that we can reach it from work. We can then set our browser to proxy traffic to localhost 4444, and it will be proxied by our Tor service running at home! Here's how it works.

  1. First we establish our SSH connection to our remote server.
  2. The SSH client then takes our given arguments, and builds a tunnel within the connection.
  3. SSH binds our local port (4444) to our remote server's serivce port (9050)
  4. Once the connection is made, the network's firewall see's traffic to port 22 for SSH traffic, but has no idea that inside that tunnel we are forwarding TOR traffic.

If SSH traffic is blocked on port 22, change your SSH server's port number to 443 so it's disguised as HTTPS traffic! Another option would be to port forward your router's inbound port 443, to your internal SSH server on port 22.

Here is the command: ssh -L 4444:localhost:9050 -N -C username@address

  • -L - Start Local Port Forward by opening a local socket which will connect to the remote destination.

  • 4444 - The local socket that we are opening up on our host which will be forwarded to our remote server.

  • localhost - The address we want our traffic to go to once it has reached our remote server. Being the service lives on localhost, thats where we want it.

  • 9050 - We specified we want the traffic to go to the local host, but now we specify the TOR service runnning on port 9050.

Here is a quick and ugly flowchart.

Flowchart Example

06-Tor-Remote-LPF

GIF Example

07-TOR-LPF


0x04 - Local Port Forwarding (cont.)

So if we can forward our Tor service to our local ports... what else can we forward? You can get pretty crafty, but I'll lay out some other examples of things you can do.

Lets say that you are at work and you really would like to access one of your servers at home. Maybe its a database or a media server. Whatever it may be, you have your reasons as to not expose it to the internet. Using local port forwarding, we build a tunnel locally and access the servers without ever making the services known to the public.

Using similar commands as seen above, we can begin building tunnels.

Below, we build a tunnel to a a web server running within a Docker containers.This is the Damn Vulnerable Web Application (DVWA) server, which has been forwarded to my local host on port 5555.

08-LPF-DVWA

Local Port Forwarding is a great way to retrieve access to a remote service, and interact with it on your local machine.


0x05 - Remote Port Forwarding

Lets come up with another scenario.

What if you have another server in your house that you would like to share with someone? Maybe you have a database or another SSH server somewhere in your house that you want others to be able to access. Similiar to local port forwarding, we can send a service over to a remote destination, and have them interact with our service through their local ports.

Here is the command: ssh -N -C -R 9999:10.0.0.55:22 michiana-infosec.com

  • -R - Establish Remote Port Forwarding

  • -N - Do not display output or send commands to the server

  • -C - Enable compression

  • 9999 - The local port that we are going to create on the remote server.

  • 10.0.0.55 - The address of a server in my house that I'm sharing with Michiana-Infosec

  • 22 - The SSH service port for 10.0.0.55, that is being shared with the remote destination.

  • michiana-infosec.com - The remote destination who will be able to access the SSH service through their local port 9999

Flowchart Example

09-RPF-SSH-2

Now, if you are on the Michiana Infosec server and you attempt to connect to port 9999 you will be greeted with my local server's banner.

Pic Example

0A-RPF-SSH

In case you were wondering, you can also build tunnels to other tunnels and connect the ports. Forwarding has some great use cases so experiment and play around!


0x06 - Proxychains

Now that we know how to setup tunnels and build socks proxies, lets take a look at Proxychains. Proxychains allows you to redirect applications through proxy servers. Here is a description in the programs manual.

...This program forces any tcp connection made by any given tcp client to follow through proxy (or proxy chain). It is a kind of proxifier.It acts like sockscap / premeo / eborder driver (intercepts TCP calls)...

In this scenario, lets say we have our Tor service running. We will double check our configuration at /etc/proxychains.conf. By default, proxychains routes through Tor using SOCKS4. Proxychains does in fact support SOCKS5, and because we want to proxy our DNS resolutions, make sure you change socks4 to socks5. If you have another dynamic SOCKS5 port that you have created with SSH that you would like to use, feel free to change the port number.

Proxychains configuration

0B-Proxychains-3

GIF Example

0C-Proxychains

Use proxychains to install packages, curl webpages, download files with wget, and get other applications to bypass firewall restrictions. Proxychains can be configured to select a random proxy in a list, chain proxies together and more.

Enjoy!