Sshutle

Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.

Source: https://github.com/sshuttle/sshuttle

Source 2: https://sshuttle.readthedocs.io/en/stable/how-it-works.html

When to use sshutle?

Imagine this scenario:

Diagram of the Scenario

  • A machine can connect to B

  • B machine can connect to C

  • C can't connect directly to A

  • So, in this case, we can use sshutle from C to B proxying the access

  • After that, we can access A directly from C

Prerequisites

  • We don't need to set up sshutle on the target, just on the attacker/Kali

  • requirements: python +3.8

Basic Usage

  • We can choose which subnet we want to proxy

  • Using 0.0.0.0/0 (or 0/0) proxies everything

sudo sshuttle -r username@sshserver 0/0 -vv

"One some systems, you may also need to use the sshuttle -x parameter to exclude sshserver or sshserver:22 so that your local machine can communicate directly to sshserver without it being redirected by sshuttle".

sudo sshuttle -r username@sshserver 0/0 -x sshserver:22

Tunneling + Extracting Files

Here I've opened a netcat on the 3rd machine:

3rd machine ( isolated )

Then I connected from Kali (Attacker) to the Second Machine:

  • The 0/0 means that All subnets available on the 2nd machine will be proxied to us

  • -x means that we don't wanna proxy the IP of the server

Open the sshutle connection
file extracted from the internal machine

Wireshark doesn't even show the access to the 10.10.10.11 machine, cause we're accessing through the sshuttle tunnel from Kali (192.168.0.72) to the 2nd machine (192.168.0.67)

Wireshark Results
PreviousLigolo-ngNextRpivot

Last updated