Our Scenarios

SSH tunnelling #3


Network tunnelling is a technique that allows for the movement of data from one network to another. It involves allowing private network communications to be sent across a public network through a process called encapsulation.

This is very important for Penetration Testers because very often you will be attacking systems that are accessible from the Internet (example of a public network). However, if you manage to compromise one of these systems, you will then have access to one or more private networks; these private networks would only be reachable from your compromised target, so you have to use tunnelling techniques to access them from your own machine.

Continuing from SSH tunnelling #2, this time we have managed to gain SSH access to a machine located in a DMZ (demilitarized zone), but we need to go further and explore the machines residing in the internal network that are non-routable from our attack machine. We will learn how to create a dynamic port forward to allow this and use a proxifying tool (in our case proxychains) enumerate hosts residing on the internal network.

A very common way to create tunnels is to use the SSH protocol. In this scenario, we will explore ways to setup dynamic port forwards as tunnels to achieve an objective.

What you will learn

This scenario introduces the concept of tunneling using SSH and dynamic port forwards. After completing it you should learn: - how to setup a SSH dynamic port forward. - use this in conjunction with proxifying tools to interact with targets that would otherwise be inaccessible.

Scenario Pre-requisites

It is recommended, but not necessary to be familiar with the following concepts: - basic nmap usage - basic linux usage

However, it is still possible to follow the mission and complete the assessment by learning as you go.

Technical Details

This scenario contains one virtual machine that is running three docker containers in a seperate, non-routable network.