search

Sshutle

Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.

Source: https://github.com/sshuttle/sshuttlearrow-up-right

Source 2: https://sshuttle.readthedocs.io/en/stable/how-it-works.htmlarrow-up-right

hashtag
When to use sshutle?

Imagine this scenario:

Diagram of the Scenario

  • A machine can connect to B

  • B machine can connect to C

  • C can't connect directly to A

  • So, in this case, we can use sshutle from C to B proxying the access

  • After that, we can access A directly from C

hashtag
Prerequisites

  • We don't need to set up sshutle on the target, just on the attacker/Kali

  • requirements: python +3.8

hashtag
Basic Usage

  • We can choose which subnet we want to proxy

  • Using 0.0.0.0/0 (or 0/0) proxies everything

"One some systems, you may also need to use the sshuttle -xarrow-up-right parameter to exclude sshserver or sshserver:22 so that your local machine can communicate directly to sshserver without it being redirected by sshuttle".

hashtag

hashtag
Tunneling + Extracting Files

Here I've opened a netcat on the 3rd machine:

3rd machine ( isolated )

Then I connected from Kali (Attacker) to the Second Machine:

  • The 0/0 means that All subnets available on the 2nd machine will be proxied to us

  • -x means that we don't wanna proxy the IP of the server

Open the sshutle connection
file extracted from the internal machine

Wireshark doesn't even show the access to the 10.10.10.11 machine, cause we're accessing through the sshuttle tunnel from Kali (192.168.0.72) to the 2nd machine (192.168.0.67)

Wireshark Results
PreviousLigolo-ngNextRpivot

Last updated