Friday, 14 October 2016

Reverse Tunnels, SSH

SSH:

If you've ever used a terminal shell, the chances are you've heard of SSH. SSH is arguably one of the most useful protocols ever made, allowing you to get a terminal shell on a remote computer. Most everyday Linux distributions even come with this setup and ready to go.
Commonly if you're trying to get to a linux computer on your home network through the internet, you will need to tell your router to port forward port 22 to your computer IP address. Port 22 is the default port for SSH, unless you configured your SSH server otherwise. 

Port Forwarding:

To understand how reverse tunnels work, we are going to need a basic understanding of what ports are and how to make use of them. Ports are talked about in numerical form; we already know the port for the protocol SSH is port number 22. Having this standard is really useful. By default, nearly all computers that can connect through SSH would know to automatically use port 22, without you needing to enter port 22 every time. Let's look at a practical example of why port forwarding is important:

This is a basic representation of the scenario I explained earlier. The item in the middle is the router, where a rule has been set up to forward all data that use port 22 to a specified computer. This means when I connect the router from the internet using port 22, it gets passed through to the SSH server. 

Reverse tunnels:

Reverse tunnels are similar to the image above in the sense we will use a port, create a rule and then the data gets sent to somewhere using the rule we created. 

The basic explaining of an SSH reverse tunnel: 
It is used to tell an SSH server to connect to another SSH server
  1. We connect to an SSH server
  2. We tell this SSH sever a port to listen on 
  3. We then tell the SSH server where to talk to the second SSH server, when somebody talks to it on the port we specify

There are many reasons for using a reverse tunnel. In the hacking world, it is a great way to get past firewalls or plant devices on a network that you can get back into later. To understand why, let's see an example of a command that sets up a reverse SSH tunnel:

ssh -R     1234:localhost:22       username@sshserver.com

The breakdown of this command:
ssh -R ... we tell the computer we are going to use SSH, the '-R' tells the computer we are going to open a reverse tunnel

1234 ... this is the port we tell the first SSH server to listen on (the first ssh server is in blue)

localhost ... this is the second computer that we tell the first SSH server to connect to

22 ... this is the port that we tell the first ssh server to use when connecting the second ssh server

username@sshserver.com ... this is the first ssh server. To set everything up, we at least need to be able to log in to the first SSH server

Using this:

To use this, we need to connect to the first SSH server. Then we need to open another connection on the first SSH server, using the port we've just opened (1234). First we need to log into the first SSH server. We should do this by using:

ssh username@sshserver.com

Once we've signed in, this is where we tell the first SSH server to open another connection. To do this:

ssh localhost -p 1234 -l [username for the second ssh server]

Let's break this down again

ssh ... we are going to use SSH to open our second connection 

localhost -p ... we are going to open a second connection on the same computer we are working on, however, the -p says we are going to use a port other than 22

1234 ... the port we opened on the first SSH server. We are going to use it now. This means that the first SSH server is now going to start following the 'rule' we created

-l [username for the second ssh server] ... we need to specify that we are going to use a different username. This will be the username for the second computer. 

Seeing this happen: 

Now you know the theory behind it, we can see a practical demonstration:




Graphical representation of what's happening:





I hope this has helped you understand reverse tunnels. Got any suggestions or spotted a mistake, tell me below :)