We will demonstrate how we can create remote ssh tunneling between a Windows Machine having a blocked service and a Linux Machine (Kali Machine). To get some more definitions about SSH tunneling, what is remote and local ssh tunneling (aka ssh port forwarding), please google it (I recommend you to visit https://www.ssh.com/).
Starting with Kali Machine:
Let’s first check the initial case by dumping sockets with ss and grepping sshd to see if there is already running sshd service.
Command: kali@kali:~$ sudo ss -antlp | grep sshd
I had no output which means that sshd is not active.
So, let’s start it:
Command:kali@kali:~$ sudo service ssh start
And now check with ss tool to see the difference.
Running the following command shows us that sshd is active and running:
Command: kali@kali:~$ sudo ss -antlp | grep sshd
Console output:
Now, we have an active sshd running and can start playing with plink.exe on our Windows Machine.
Downloading plink.exe:
Assuming that we don’t have plink.exe on our Windows Machine, let’s browse to https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html and download the file:
There are two binaries available; as you can guess, 32-bit and 64-bit (There are also ARM architecture executables for Windows, if you scroll down)
Let’s check if our windows machine is 32-bit or 64-bit.
We use the following command:
Command: C:\>wmic os get osarchitecture
Console output:
Holy Cow! I have 32-bit OS architecture.
After getting the architecture information, download 32-bit or 64 bit compiled plink.exe (Type of exe is independent of what we are going to do here, we just want to have the correct executable).
For our demonstration, let’s start a web server at <IP_ADDRESS>:8090 (I had an Apache server, but you may also use python based simple HTTP Server, or a similar one). It’s initialy active at port 8090.
Then block 8090 for our exercise by opening Command Prompt (Run as Administrator) and entering related firewall command:
C:\Windows\system32>netsh advfirewall firewall add rule name="BlockSecretServerPort" protocol=TCP dir=in localport=8090 action=block
Let’s check if we could block it successfully or command prompt lied to us:
Use the following command and scroll to find your new rule:C:\Windows\system32>netsh firewall show config
Wow! We could block it for inbound traffic. That means we cannot browse to 192.168.0.10:8090 anymore.
To test this, we can go back to our Kali machine and try to reach the same IP and Port. We will get the following timeout message when we try.
We are now ready to begin playing with plink.exe.
What we need in this scenario is to create a remote ssh tunneling such that Kali machine can reach our HTTP server at port 8090.
We have the SSH server running on Kali side and we will initiate the tunneling from the client side (which is Windows machine):
Command:C:\>plink32.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:127.0.0.1:8090 <MYIP>
Important notes about the above command:
1. We will run this command on the machine (i.e. Windows machine) where we blocked the server and enable a remote ssh tunnel.
2. All variables above starting with “MY” (e.g. MYUSERNAME) are related to your development PC dependent (the PC where we used browser to check the connection initially before blocking the port, i.e. Kali machine).
3. You can choose any port for the ssh server side (Kali machine) but the port you tunnel on your side must be the port you want to make reachable from Kali side (in this case, 8090 which is the HTTP server’s port)
For example, let’s assume:
My IP: 192.168.0.3
My Username: kali
My Password: Password01
My Port: 8483 (this can be any available port you choose, I just selected 8483.Then we need the following command:
plink.exe -ssh -l kali -pw Password01 -N -R 192.168.0.3:8483:127.0.0.1:8090 192.168.0.3
Here is the console output in my case:
When you run the ssh command for first time, you will be prompted to store key in cache or not. Then this key will be stored under “HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys” for future connections and you will have trust established to the Kali machine. You will not be asked again until you remove this key from registry.
We included -N option to tell plink that we don’t want to have shell started. If you want a shell after the tunnel is establised, remove -N option.
After session is started, we try again and we are now able to reach our hidden and BLOCKED page.
IMPORTANT: Don’t forget to use 127.0.0.1 (or Kali machine IP) as IP address to reach your target. If you still insist using Windows Machine IP (192.168.0.10), you will not be using the created ssh tunnel session.
Lastly, you can call plink.exe on command prompt to see what other options we have. I hope this exercise was useful and you can easily use it whenever needed.
