Jump to content

Reverse Ssh Tunnel, Pineapple Webinterface Forwarding


Recommended Posts

Hi,

i am playing with pineapples reverse ssh tunnel and everything works great.

so i tried to forward the webinterface on port 80 (172.16.42.1/pineapple) with a second shell through ssh for remote configuration...

--> @pineapple# ssh -R 8080:localhost:80 root@destinationserver.com

at the destination server i can see the new open 8080 port, but if i connect to "destinationserver.com:8080/pineapple/"

nothing happens.

or is it the completly wrong way ;-) ??

thx

mex

Edited by mex.mustermann
Link to comment
Share on other sites

  • 1 month later...

Sure, but in the episode(s) he doesn't access the web interface through the tunnel, just SSH - just wondering what the best practice way to do that would be. I'm going to play with using a separate autossh instance to forward my custom web interface port (2.6.4 fw) to my relay, I'll post my findings ^^

Link to comment
Share on other sites

im a huge noob ;) where do i get a relay server?? apologize for the stupid question but you have to crawl before you can walk lol

No worries dude. A relay server is really just a server. Preferably linux but this is up to the users.

The point of the "relay" is that the Pineapple SSH's into your server and opens a local port there. Then, you can SSH into the server and SSH into that local port. Once you do you are on the pineapple.

In the end, the relay server could be your own machine. The only issue with this is it may not always be appropriate to have it connect to a moving machine. Having something you can connect to from your phone / laptop / whatever is always a useful think ;)

Best Regards,

Sebkinne

Link to comment
Share on other sites

  • 2 weeks later...

OK, so I got this working but its a little manual :ph34r:

First of all autossh on the pineapple connects, via 3g, to my relay server. I use this command; autossh -M 20000 -f -N -R 4255:localhost:22 root@my-dns-name.com -i /etc/dropbear/id_rsa

my-dns-name-com (fictitious) is my router ADSL interface IP address using dyn-dns. I then NAT any TCP connections hitting my ADSL IP address on TCP port 22 (SSH) to a BackTrack5 R2 machine on my LAN on IP address 192.168.1.100. This BackTrack is my SSH relay server.

Once the autossh has done its magic, I can then ssh from any machine on the internet to TCP port 4255, which is tunneled to the pineapple. Note, you must also add a NAT statement for TCP port 4255 on the ADSL interface IP address to the relay server (192.168.1.100). At this point, I can manage the pineapple from the internet across the two ssh tunnels by 'bridging' the ssh tunnels that terminate on the relay server. I think we all got to this stage, hopefully :blink:

Now, what if you want to manage the pineapple via HTTP 'as well' as SSH? Well, using the SSH connection established above on TCP port 4255, simply paste the following into the SSH session (change parameters accordingly);

ssh -f -N -R 4266:localhost:1471 root@my-dns-name.com -i /etc/dropbear/id_rsa

Now, open your browser on a machine on the internet and browse to root@my-dns-name.com:4266 This should then be tunneled across both ssh tunnels and 'lands' on the pineapple TCP port 1471 (assuming 2.7.0 software). Note, you must also add a NAT statement for TCP port 4266 on the ADSL interface IP address to the relay server (192.168.1.100).

Because of the silent -f flag your SSH session remains 'up' and you can manage via HTTP too - great stuff. You have the flexibility of SSH and HTTP to launch attacks. I have no idea how many of ssh sessions you can create, maybe if you identified a vulnerable TCP service on a client you could create a tunnel and penetrate the client from a machine sitting on the internet, across the SSH tunnels?

Hope this helps someone....

Razzlerock

Link to comment
Share on other sites

OK, so I got this working but its a little manual :ph34r:

First of all autossh on the pineapple connects, via 3g, to my relay server. I use this command; autossh -M 20000 -f -N -R 4255:localhost:22 root@my-dns-name.com -i /etc/dropbear/id_rsa

my-dns-name-com (fictitious) is my router ADSL interface IP address using dyn-dns. I then NAT any TCP connections hitting my ADSL IP address on TCP port 22 (SSH) to a BackTrack5 R2 machine on my LAN on IP address 192.168.1.100. This BackTrack is my SSH relay server.

Once the autossh has done its magic, I can then ssh from any machine on the internet to TCP port 4255, which is tunneled to the pineapple. Note, you must also add a NAT statement for TCP port 4255 on the ADSL interface IP address to the relay server (192.168.1.100). At this point, I can manage the pineapple from the internet across the two ssh tunnels by 'bridging' the ssh tunnels that terminate on the relay server. I think we all got to this stage, hopefully :blink:

Now, what if you want to manage the pineapple via HTTP 'as well' as SSH? Well, using the SSH connection established above on TCP port 4255, simply paste the following into the SSH session (change parameters accordingly);

ssh -f -N -R 4266:localhost:1471 root@my-dns-name.com -i /etc/dropbear/id_rsa

Now, open your browser on a machine on the internet and browse to root@my-dns-name.com:4266 This should then be tunneled across both ssh tunnels and 'lands' on the pineapple TCP port 1471 (assuming 2.7.0 software). Note, you must also add a NAT statement for TCP port 4266 on the ADSL interface IP address to the relay server (192.168.1.100).

Because of the silent -f flag your SSH session remains 'up' and you can manage via HTTP too - great stuff. You have the flexibility of SSH and HTTP to launch attacks. I have no idea how many of ssh sessions you can create, maybe if you identified a vulnerable TCP service on a client you could create a tunnel and penetrate the client from a machine sitting on the internet, across the SSH tunnels?

Hope this helps someone....

Razzlerock

I am glad you got it working!

Mind if I ask you to compile this info on our wiki? I think it would make a great addition.

Best Regards,

Sebkinne

Link to comment
Share on other sites

  • 6 months later...

I didn't see this on the wiki, so I added it.

Anyone figure out how to append this command to the autossh script that is autorun? I tried the standard "&&" to no avail (ssh relay works, http no worky). Heres the command I'm using:

autossh -p 2222 -M 20000 -N -R 4255:localhost:22 user@myvps.com -i /etc/dropbear/id_rsa && ssh -p 2222 -f -N -R 4266:localhost:27015 user@myvps.com -i /etc/dropbear/

Note: I hate using standard ports, so I'm using 2222 as my ssh port for my vps, and 27015 as my pineapple's http interface port. CS/TFC represent!

telot

Link to comment
Share on other sites

  • 5 months later...

Reviving old thread to add some info. I make the tunnel for port 1471 but i was getting weird 'Rejected request from RFC1918 IP to public server address' message when accessing 1471 from internet.

I figured it out eventually - you have to edit the /etc/config/uhttpd to disable the RFC1918 checking option.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...