NetSecNow Posted June 29, 2013 Share Posted June 29, 2013 Hey Guys, Need a little help understanding ssh proxy forwarding, otherwise known as ssh pivoting. I Have read a few tutorials that were very vague, seen a few videos from Hak5, but It still hasn't hit home yet. Here's my lab setup; I have a few static IP's. I am testing a real world scenario using a remote ssh box to pivot and scan the remote internal network. I am also using Metasploit. Remote network: 75.xxx.xxx.x96 My local Public IP: 75.xxx.xxx.x98 .x96 is behind a pfsense firewall I have setup. Port 22 is fowarded to a Metaspolitable2 box I Have there, lan IP 192.168.2.2 (no worries, I have it setup to only accept connections from .x98 for security reasons) Also behind that pfsense firewall is a Proxmox VM server running various windows images on the same lan subnet as Metasploitable2. on .x98 I am running a standard nat router device, with my Kali linux VM on the DMZ. the local lan IP of the kali machine is 192.168.1.2 so in Kali, I do the following; ssh -D 127.0.0.1:8001 email@example.com - This should setup my ssh proxy to msfadmin on x.96 I added in socks4 127.0.0.1 8001 in proxychains.conf I have confirmed this works by doing: proxychains nmap -sT -Pn 192.168.2.4 (the winxp box on .x96 with lan IP 192.168.2.4) and this works, nmap returns results. One of the windows boxes on that remote lan is 192.168.2.4 and it's Vulnerable to the ms08_067 netapi exploit. I can confirm this in msfconsole after I setg Proxies socks4:127.0.0.1:8001 and run the check command against 192.168.2.4 - returns Host is vulnerable. However, when I fire the exploit in question, it almost seems like nothing is returning. Say I setup the exploit and payload with bind_tcp to use port 4444. Since I have the Kali linux box on the dmz, no NAT port forwarding should need to happen, right? I would assume, since my above examples of nmap and check in msfconsole return results for the remote lan IP of 192.168.2.4 that the tunnel is working bi-directional, but still why isn't anything returning? The exploit identifies the machine as windows xp pro, etc, but still my payload never gets sent to that machine. I'm probably missing something, so I am asking you guys for some guidance. Thanks in advance! Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.