Open in app

Sign in

Write

Sign in

SSH tunneling as a VPN alternative full setup

kali null
3 min readJul 16, 2019

It’s not uncommon that VPN connection to our client’s boxes either breaks mid testing or is blocked by some firewall or IDS. SSH tunneling can be used as a back up connection to already existing VPN connection or as a decent lightweight alternative.

Things we’ll need:

  1. AWS instance for pivoting
  2. Target box on the network we are ̶h̶a̶c̶k̶i̶n̶g̶ testing.

First, we need to set up the AWS instance to use as the initial jump box:

  1. Open port 8080 in the security rules
  2. Create new user: adduser revconnect (or whatever user name) and give the user sudo privileges: usermod -aG sudo revconnect
  3. sudo su revconnect
  4. Run ssh-keygen for that user. I’d recommend using non default name for the key to avoid conflicts.
  5. Make sure there is an authorized_keys file in revconnect/.ssh with your keys in it.
  6. Enable GatewayPorts: in /etc/ssh/sshd_configset GatewayPortsto yes

Next, create the script to be executed on the client’s box. The script will be password protected and served to the client at the end. All the client would need to do is to curl the script and pipe it to bash. Lets go:

  1. Create ~/www/provision.sh
  2. In order to build the script we first need to set up a couple variables:

Get base64 of the public key:

PUBLIC_KEY_B64="$(cat /home/revconnect/.ssh/your_key.pub | base64 -w 0)"

echo "PUBLIC_KEY_B64='${PUBLIC_KEY_B64}'"

Encrypt the keys:

cat /home/revconnect/.ssh/your_key | openssl enc -aes-256-cbc -in — -out your_key.enc

Get base64 of that:

B64_KEY="$(cat your_key.enc | base64 -w 0)";

echo "ENCRYPTED_KEY_B64='${B64_KEY}'"

Add the variables to the provision.sh script:

#!/bin/bashset -e;
PUBLIC_KEY_B64=’YOUR PUB KEY’
ENCRYPTED_KEY_B64=’YOUR ENCRYPTED KEY’
LOCAL_USER=”$(whoami)”
AWS_IP=”YOUR AWS IP”;
AWS_USER=”revconnect”;
KEY_PATH=”$HOME/.ssh/${AWS_USER}.pem”;
REV_PORT=”${REV_PORT:-2222}”;

You could totally do without encryption, but we are all about security here😏.

Next, check if .ssh folder exists and create it, if it doesn’t:

#provision.sh cont'd...if [[ ! -d $HOME/.ssh ]]; then
    mkdir $HOME/.ssh;
fi

We then grab the encrypted key we created, decode it on the other end, and change permissions to 400 to protect it against accidental overwriting.

#provision.sh cont'd...echo “$ENCRYPTED_KEY_B64” | base64 -d > ${KEY_PATH}.enc;
openssl enc -aes-256-cbc -d -in ${KEY_PATH}.enc -out $KEY_PATH;
chmod 400 $KEY_PATH;
sleep 1s;

add it to the authorized_keys file

#provision.sh cont'd...
echo “$PUBLIC_KEY_B64” | base64 -d >> $HOME/.ssh/authorized_keys

Next, we want to set up tunnel as systemd service. Inspiration for this part is taken from this gist I found: https://gist.github.com/drmalex07/c0f9304deea566842490

#provision.sh cont'd...SYSTEMD_FILE=$(cat << EOF
[Unit]
Description=Setup a secure tunnel
After=network.target[Service]
ExecStart=/usr/bin/ssh -i $KEY_PATH -NT -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -R 127.0.0.1:%i:127.0.0.1:22 ${AWS_USER}@${AWS_IP}RestartSec=10
Restart=always[Install]
WantedBy=multi-user.target
EOF
)

Lastly, we reload the daemon and start the tunnel:

#provision.sh cont'd...echo “$SYSTEMD_FILE” | sudo tee ‘/etc/systemd/system/sshtunnel@.service’;
sudo systemctl daemon-reload;
sudo systemctl enable sshtunnel@$REV_PORT;
sudo systemctl start sshtunnel@$REV_PORT;

Cool, the script is done. Lets password protect the file:

cat /home/revconnect/.ssh/your_key | openssl enc-aes-256-cbc -in — -outyour_key.enc

and serve the script to the client: cd ~/www && python3 -m http.server 8080

Now we can ask our client to run the script, or you run it on the target box if you have access to it: curl “http://aws_ip:8080/provision.sh” | bash

The script will prompt to enter the password you created for provision.sh

Once the client (or you) ran the script and the tunnel is created, you can ssh into the AWS instance, then run ssh -p 2222 root@localhost

Done! If you get permission denied error, your keys probably don’t match. Try to use the same key consistently on your local machine, AWS instance and the target box.

Good luck!

Bitcoin tip jar: bc1qgpl6lhf09j6kcdvkh8cz90p4cfxuyfec3ecjrd

Ethereum tip jar: 0x7e0Bf6D50b5F5fcbf76A16Bd5285CE0c74C063a9

Security
Pentesting
Ssh
Cybersecurity
VPN

--

--

kali null

Written by kali null

294 Followers

security researcher and penetration tester. twitter: @kali_null

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams