OP 06 April, 2021 - 02:48 PM
Welcome all. In the example below, we will want to establish an SSH connection from the server where our scanner will be to the virtual machine (Kali) and use the connection to scan our target network.
SSH has very good tunneling capabilities. I will use an SSH tunnel to tunnel the traffic between two TUN TAP interfaces. These are virtual devices that behave like real interfaces, so our scanner won't know the difference.
First, we need to create such devices on both sides with
# tunctl -t tap0
Now we will assign an IP address to this interface.
On the scanner server:
# ifconfig tap0 10.100.100.100 netmask 255.255.255.0
On the VM:
# ifconfig tap0 10.100.100.101 netmask 255.255.255.0
We will connect these devices to an SSH tunnel. We need to be root on both sides for this to work, so I created an SSH key which I copied to the VM:
# ssh-keygen
Generating public / private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256: IhndAn301XGp4TkWgS1s / QyEJdmo4fh6vhR / nmmLElw root@server.local
The key's randomart image is:
+ --- [RSA 2048] ---- +
| .. .. ..% = o.o |
| o ... about X.B.o |
| . o. + = o O |
| o o o E * o |
| about . S ... . |
| . . + o |
| .... |
| ..o + .o |
| ooo .. =. |
+ ---- [SHA256] ----- +
This allows us to log in without entering a password. Additionally, the target SSH server must allow tunneling. On the VM, add to the file / etc / ssh / sshd_config
PermitTunnel = yes
Now we can login from the scanner server to the VM with this command:
# ssh -o Tunnel = ethernet -f -w 0: 0 root@kali.linux true
This will create a tunnel that executes the "true" command (which defacto does nothing) and sends the process to the background. To check if the tunnel is ready, we perform:
# ethtool tap0
Settings for tap0:
Supported ports: []
Supported link modes: Not reported
Supported pause frame use: No
Supports auto-negotiation: No.
Advertised link modes: Not reported
Advertised pause frame use: No
Advertised auto-negotiation: No
Speed: 10Mb / s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: off
MDI-X: Unknown
Current message level: 0xffffffa1 (-95)
drv ifup tx_err tx_queued intr tx_done rx_status ptdata hw wol 0xffff8000
Link detected: yes
If everything looks similar to the above, everything works fine. To confirm this we can ping the remote tap0 interface:
# ping -c 3 10,100,100,101
PING 10.100.100.101 (10.100.100.101) 56 (84) bytes of data.
64 bytes from 10.100.100.101: icmp_seq = 1 ttl = 64 time = 0.028 ms
64 bytes from 10.100.100.101: icmp_seq = 2 ttl = 64 time = 0.033 ms
64 bytes from 10.100.100.101: icmp_seq = 3 ttl = 64 time = 0.031 ms
--- 10.100.100.101 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min / avg / max / mdev = 0.028 / 0.030 / 0.033 / 0.006 ms
Now we need to configure our scanner server to send data to the target network through this tunnel.
On the VM:
# echo 1> / proc / sys / net / ipv4 / ip_forward
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -t nat -A POSTROUTING -o tap0 -j MASKERAD
# iptables -A INPUT -i eth0 -m state - state RELATED, ESTABLISHED -j ACCEPT
# iptables -A INPUT -i tap0 -m state - state RELATED, ESTABLISHED -j ACCEPT
# iptables -A FORWARD -j ACCEPT
On the scanner:
# ip route add 10.10.0.0/8 via 10.100.100.101
And that's it, test our scanner now
# nmap -sT -Pn 10.10.1.37
Nmap scan report for version 10.10.1.37
The host is running (0.022 second delay).
Not shown: 988 ports closed
PORT STATE SERVICE
22 / tcp open ssh
53 / tcp open domain
80 / tcp open http
88 / tcp open kerberos-sec
389 / tcp open ldap
443 / tcp open https
464 / tcp open kpasswd5
636 / tcp open ldapssl
749 / tcp open kerberos-adm
8080 / tcp open http proxy
8089 / tcp open unknown
8443 / tcp open https-alt
Nmap ready: 1 IP address (1 host up) scanned in 2.26 seconds
In fact, this way we can tunnel through SSH whatever we want
SSH has very good tunneling capabilities. I will use an SSH tunnel to tunnel the traffic between two TUN TAP interfaces. These are virtual devices that behave like real interfaces, so our scanner won't know the difference.
First, we need to create such devices on both sides with
# tunctl -t tap0
Now we will assign an IP address to this interface.
On the scanner server:
# ifconfig tap0 10.100.100.100 netmask 255.255.255.0
On the VM:
# ifconfig tap0 10.100.100.101 netmask 255.255.255.0
We will connect these devices to an SSH tunnel. We need to be root on both sides for this to work, so I created an SSH key which I copied to the VM:
# ssh-keygen
Generating public / private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256: IhndAn301XGp4TkWgS1s / QyEJdmo4fh6vhR / nmmLElw root@server.local
The key's randomart image is:
+ --- [RSA 2048] ---- +
| .. .. ..% = o.o |
| o ... about X.B.o |
| . o. + = o O |
| o o o E * o |
| about . S ... . |
| . . + o |
| .... |
| ..o + .o |
| ooo .. =. |
+ ---- [SHA256] ----- +
This allows us to log in without entering a password. Additionally, the target SSH server must allow tunneling. On the VM, add to the file / etc / ssh / sshd_config
PermitTunnel = yes
Now we can login from the scanner server to the VM with this command:
# ssh -o Tunnel = ethernet -f -w 0: 0 root@kali.linux true
This will create a tunnel that executes the "true" command (which defacto does nothing) and sends the process to the background. To check if the tunnel is ready, we perform:
# ethtool tap0
Settings for tap0:
Supported ports: []
Supported link modes: Not reported
Supported pause frame use: No
Supports auto-negotiation: No.
Advertised link modes: Not reported
Advertised pause frame use: No
Advertised auto-negotiation: No
Speed: 10Mb / s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: off
MDI-X: Unknown
Current message level: 0xffffffa1 (-95)
drv ifup tx_err tx_queued intr tx_done rx_status ptdata hw wol 0xffff8000
Link detected: yes
If everything looks similar to the above, everything works fine. To confirm this we can ping the remote tap0 interface:
# ping -c 3 10,100,100,101
PING 10.100.100.101 (10.100.100.101) 56 (84) bytes of data.
64 bytes from 10.100.100.101: icmp_seq = 1 ttl = 64 time = 0.028 ms
64 bytes from 10.100.100.101: icmp_seq = 2 ttl = 64 time = 0.033 ms
64 bytes from 10.100.100.101: icmp_seq = 3 ttl = 64 time = 0.031 ms
--- 10.100.100.101 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min / avg / max / mdev = 0.028 / 0.030 / 0.033 / 0.006 ms
Now we need to configure our scanner server to send data to the target network through this tunnel.
On the VM:
# echo 1> / proc / sys / net / ipv4 / ip_forward
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -t nat -A POSTROUTING -o tap0 -j MASKERAD
# iptables -A INPUT -i eth0 -m state - state RELATED, ESTABLISHED -j ACCEPT
# iptables -A INPUT -i tap0 -m state - state RELATED, ESTABLISHED -j ACCEPT
# iptables -A FORWARD -j ACCEPT
On the scanner:
# ip route add 10.10.0.0/8 via 10.100.100.101
And that's it, test our scanner now
# nmap -sT -Pn 10.10.1.37
Nmap scan report for version 10.10.1.37
The host is running (0.022 second delay).
Not shown: 988 ports closed
PORT STATE SERVICE
22 / tcp open ssh
53 / tcp open domain
80 / tcp open http
88 / tcp open kerberos-sec
389 / tcp open ldap
443 / tcp open https
464 / tcp open kpasswd5
636 / tcp open ldapssl
749 / tcp open kerberos-adm
8080 / tcp open http proxy
8089 / tcp open unknown
8443 / tcp open https-alt
Nmap ready: 1 IP address (1 host up) scanned in 2.26 seconds
In fact, this way we can tunnel through SSH whatever we want
