SSH, Nmap, and Proxychains

This post demonstrates how to use SSH to create a tunnel to proxy a scan through a host into an internal network.

Let’s say you discover SSH credentials to an internal system and you gain access as a non-privileged user via SSH.

ssh_1

Eventually I’ll want to scan the internal network to see what else is there, but the target machine does not have any scanning tools installed. However, since I have SSH credentials, I can create an SSH tunnel and proxy a scan through the tunnel.

I’ll use the command:

ssh username@192.168.217.144 -D 9050 -N -f

Which will create a tunnel starting at port 9050 on my local host to the target machine, 192.168.217.144. The -N and -f indicate that I do not want to run a command and want to fork into the background. I chose port 9050 because it is the default port for the proxychains tool, which will be used to proxy an nmap scan through the tunnel into the internal network. You can use other ports, just be sure to edit the bottom of the /etc/proxychains.config file to read socks4 127.0.0.1 [port].

Now that the tunnel is set up I can scan the internal network looking for webservers:

proxychains nmap -n -sT -p 80 192.168.217.0/24

and I get a hit!

Nmap scan report for 192.168.217.132
Host is up (0.00085s latency).
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:26:3D:5D (VMware)

Now I have discovered a new host to attack!

ssh_2

Next step: Create an SSH tunnel to proxy my web browser, so I can browse to the internal site…

Leave a Reply

Your email address will not be published. Required fields are marked *