Tunneling for Anonymity
7.2. Tunneling for Anonymity
The most effective way to achieve anonymity while conducting a penetration test is to protect your traffic either an entity or, proxy with secure protocols and encryption. This will create a secure tunnel between you and the proxy system (or entity), that cannot be easily read.
While there are many types of encrypted tunneling technologies, there are specifically 2 effective types for anonymity: SSH and IPSEC VPNs
SSH encryption offers more secure privacy and security protection than an anonymous proxy server alone.
SSH encrypts all communications to and from the client and server. This is achieved by activating a forwarder and a listener to both send and receive the traffic.
By using port forwarding, more commonly called SSH Tunneling, it will create a secure connection between the local and the remote machines therefore, establishing a tunnel by which we can send unencrypted traffic securely.
Although there are different types of [port forwarding][https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding] (local, remote, dynamic), we will use the most common, local port forwarding
With this type of configuration, we will forward a local port on our computer in order to let the traffic pass through an SSH connection.
Suppose we want to access a machine via telnet (homepc on port 23), but we are attached to either a network that we do not trust, or that simply blocks telnet traffic.
We can tunnel our telnet traffic through SSH as follows:
The syntax of the command to run the SSH tunnel is very simple
The LOCAL PORT TO LISTEN ON is the port that will be open for connection to the remote machine (homepc) on the remote post (23). At the end of the command, we specify the SSH server on which tunnel the communication.
In our previous example, we wanted to tunnel the telnet traffic from our local port 3000, to port 23 of our remote machine called homepc. The traffic will pass through our SSH server that is listening on sshserver.com
The command start the tunnel will look like this: ssh -L 3000:homepc:23 root@mybox
Once the tunnel is up and running, we will have the local port 3000 listening on our machine. We can now establish the real connection to the homepc telnet server with the following command: telnet 127.0.0.1:3000
The traffic will automatically go through the SSH tunnel, and it will be also encrypted.
Let us use another example in order to completely understand how SSH tunneling and local port forwarding works.
In this scenario we have 2 machines in the same network:
Our machine with IP 192.168.231.134
SSH server machine with IP 192.168.231.135
As we can see in the following screenshot, the SSH server machine also offers a MySQL server, but it is configured to accept only local connections (127.0.0.1)
Since we cannot establish a connection with the MySQL server from our client machine, we can use SSH tunnel to forward the connection from our machine.
To do this we will issue the following command:
The command creates a tunnel from our local port 3000, to the localhost address on the SSH server, on port 3306 (default MySQL port).
Once we issue the command, our machine will listen for incoming connection on port 3000. Every connection will then be forwarded to the SSH server localhost:3306.
Indeed, if we run mysql on our local port, we will connect to the MySQL server running on the remote host: ``` stduser@els:~$ mysql -h 127.0.0.1 -P 3000 -u root Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 17 Server version:5.5.5-10.1.10-MariaDB mariadb.org binary distribution
Last updated