-
Notifications
You must be signed in to change notification settings - Fork 3
I have set up a small test network of three Debian VMs and my attack VM.
- chicken (192.168.1.244)
- porkchop (192.168.1.243)
- steak (192.168.1.184)
- attackVM (192.168.1.134)
The steak
VM has a web server with a simple PHP page that displays the visitor's IP address.
<html>
<body>
<p>Did you say steak?</p>
<p><?php echo $_SERVER['REMOTE_ADDR']; ?></p>
</body>
</html>
Browsing with no intermediary hops.
attackVM $ curl http://steak.test.ssh/steak.php
<html>
<body>
<p>Did you say steak?</p>
<p>192.168.1.134</p>
</body>
</html>
Hosts involved:
- chicken (192.168.1.244)
- attackVM (192.168.1.134)
This is simple utilization of the -D
flag in the ssh client.
attackVM $ ssh -N -D 8282 [email protected]
Configure the browser in attackVM
to use a SOCKS proxy on 127.0.0.1:8282
since we selected 8282 for our SOCKS listener via -D
. Browse to steak
and we'll see that our IP is now 192.168.1.244 meaning we've connected through chicken
.
attackVM $ curl --socks5 127.0.0.1:8282 http://steak.test.ssh/steak.php
<html>
<body>
<p>Did you say steak?</p>
<p>192.168.1.244</p>
</body>
</html>
Hosts involved:
- chicken (192.168.1.244)
- porkchop (192.168.1.243)
- attackVM (192.168.1.134)
Now I'm going to use chicken
as a staging server which has access to an "internal" server, porkchop
. We'll establish an SSH connection between chicken
and porkchop
, then forward the SOCKS port from the initial connection and use it to browse through porkchop
from our attack VM.
attackVM $ ssh [email protected]
tuna@chicken:~$ ssh -N -D 8484 -p 4444 [email protected]
The SSH connection is now established between chicken
and porkchop
. Let's forward the SOCKS port 8484
to our attack VM.
attackVM $ ssh -N -L 127.0.0.1:44444:127.0.0.1:8484 [email protected]
Here we've forwarded the SOCKS listener on port 8484 of chicken
to our local port 44444. Configure the browser in attackVM
to use a SOCKS proxy on 127.0.0.1:44444
since we selected 44444 for forwarding our SOCKS listener via -L
. Browse to steak
and we'll see that our IP is now 192.168.1.243 meaning we've connected through porkchop
.
attackVM $ curl --socks5 127.0.0.1:44444 http://steak.test.ssh/steak.php
<html>
<body>
<p>Did you say steak?</p>
<p>192.168.1.243</p>
</body>
</html>