Pivoting - SShuttle



Transparent proxy server that works as a poor man’s VPN. Forwards over ssh. Doesn’t require admin. Works with Linux and MacOS. Supports DNS tunneling.

Github Page -Download

sshuttle: where transparent proxy meets VPN meets ssh

As far as I know, sshuttle is the only program that solves the following common case:

  • Your client machine (or router) is Linux, FreeBSD, or MacOS.
  • You have access to a remote network via ssh.
  • You don’t necessarily have admin access on the remote network.
  • The remote network has no VPN, or only stupid/complex VPN protocols (IPsec, PPTP, etc). Or maybe you are the admin and you just got frustrated with the awful state of VPN tools.
  • You don’t want to create an ssh port forward for every single host/port on the remote network.
  • You hate openssh’s port forwarding because it’s randomly slow and/or stupid.
  • You can’t use openssh’s PermitTunnel feature because it’s disabled by default on openssh servers; plus it does TCP-over-TCP, which has terrible performance (see below).

Obtaining sshuttle

Debian stretch or later:

apt-get install sshuttle

From PyPI:

sudo pip install sshuttle

Clone:

git clone https://github.com/sshuttle/sshuttle.git
cd sshuttle
sudo ./setup.py install

Homebrew:

brew install sshuttle

Documentation

The documentation for the stable version is available at:
http://sshuttle.readthedocs.org/

The documentation for the latest development version is available at: http://sshuttle.readthedocs.org/en/latest/

Usage

Connecting to remote systems using sshuttle is fairly simple and straight forward.

From your local system Terminal, enter command:

sshuttle -r username@sshserver 0.0.0.0/0 -vv

Or

sudo sshuttle -r username@sshserver 0.0.0.0/0 -vv

Or

sudo sshuttle -r username@sshserver 0/0 -vv

If you would also like your DNS queries to be proxied through the DNS server of the server you are connect to, then connect as shown below.

sshuttle --dns -vvr username@sshserver 0/0

Or

sudo sshuttle --dns -vvr username@sshserver 0/0

You will be may be prompted for one or more passwords; first, the local password to become root using either sudo or su, and then the remote ssh password.

That’s it. Now you’ll be able to access your remote clients.

Examples

This will connect as “sean” to “10.11.1.251” and set access to anything.

sshuttle -r [email protected] 0.0.0.0/24

This will connect as “sean” to “10.11.1.251” and set access to anything inside of the “10.1.1.0/24” Subnet

sshuttle -r [email protected] 10.1.1.0/24

Key Benefits

The account does not need to be admin! Low priv users will also work.

Sshuttle allows you to run most of it any other tools or commands which will auto route (like a VPN) via the pivot

If you use the following command

sshuttle -r [email protected] 10.1.1.0/24

And there are servers on the 10.1.1.0/24 subnet you want to access or connect to. After you’ve setup sshuttle you can for instance run nmap against a server such 10.1.1.1.223 and it will route the traffic via your pivot.

You can just run

nnmap 10.11.1.223

This works with most if not all other tools. You can then just target the servers IP and sshuttle auto routes the traffic without any need for config, setup or major drawback.

Where as in other methods such as proxychains, you have to run (After setting up config) + with the limitations of nmap via proxychains

More info on proxychains can be found here Proxy Chains Guide

proxychains nmap -sTV -n -PN 10.11.1.223
KSEC Labs
comments powered by Disqus