# Tunneling for Anonymity

### 7.2. Tunneling for Anonymity

The most effective way to achieve anonymity while conducting a penetration test is to protect your traffic either an entity or, proxy with secure protocols and encryption. This will create a secure tunnel between you and the proxy system (or entity), that cannot be easily read.

While there are many types of encrypted tunneling technologies, there are specifically 2 effective types for anonymity: SSH and IPSEC VPNs

SSH encryption offers more secure privacy and security protection than an anonymous proxy server alone.

SSH encrypts all communications to and from the client and server. This is achieved by activating a forwarder and a listener to both send and receive the traffic.

By using port forwarding, more commonly called **SSH Tunneling**, it will create a secure connection between the local and the remote machines therefore, establishing a tunnel by which we can send unencrypted traffic securely.

Although there are different types of \[port forwarding]\[<https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding>] (local, remote, dynamic), we will use the most common, **local port forwarding**

With this type of configuration, we will forward a local port on our computer in order to let the traffic pass through an SSH connection.

Suppose we want to access a machine via telnet (*homepc* on port 23), but we are attached to either a network that we do not trust, or that simply blocks telnet traffic.

We can tunnel our telnet traffic through SSH as follows:

```
                                                        homepc:23
                                                            |
                              Internet                      |
                     ----------------------------       Unencrypted
                     |   ____________________   |           |
LocalPort:3000----------|-----SSH Tunnel-----|----------SSH Server
                     |  |____________________|  |     sshserver.com
                     ----------------------------    
```

The syntax of the command to run the SSH tunnel is very simple

```
ssl -L [LOCAL PORT TO LISTEN ON]:[REMOTE MACHINE]:[REMOTE PORT] [USERNAME]@[SSHSERVER]
```

The `LOCAL PORT TO LISTEN ON` is the port that will be open for connection to the *remote machine* (*homepc*) on the *remote post* (23). At the end of the command, we specify the *SSH server* on which tunnel the communication.

In our previous example, we wanted to tunnel the telnet traffic from our local port 3000, to port 23 of our remote machine called *homepc*. The traffic will pass through our SSH server that is listening on *sshserver.com*

The command start the tunnel will look like this: `ssh -L 3000:homepc:23 root@mybox`

Once the tunnel is up and running, we will have the local port 3000 listening on our machine. We can now establish the real connection to the *homepc* telnet server with the following command: `telnet 127.0.0.1:3000`

The traffic will automatically go through the SSH tunnel, and it will be also encrypted.

Let us use another example in order to completely understand how SSH tunneling and local port forwarding works.

In this scenario we have 2 machines in the same network:

* Our machine with IP *192.168.231.134*
* SSH server machine with IP *192.168.231.135*

As we can see in the following screenshot, the SSH server machine also offers a MySQL server, but it is configured to accept only local connections (*127.0.0.1*)

Since we cannot establish a connection with the MySQL server from our client machine, we can use SSH tunnel to forward the connection from our machine.

To do this we will issue the following command:

```
ssh -L 3000:localhost:3306 els@192.168.231.135
```

The command creates a tunnel from our local port 3000, to the localhost address on the SSH server, on port 3306 (default MySQL port).

Once we issue the command, our machine will listen for incoming connection on port 3000. Every connection will then be forwarded to the SSH server localhost:3306.

Indeed, if we run `mysql` on our local port, we will connect to the MySQL server running on the remote host: \`\`\` stduser\@els:\~$ mysql -h 127.0.0.1 -P 3000 -u root Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 17 Server version:5.5.5-10.1.10-MariaDB mariadb.org binary distribution

````
Copyright (c) 2000, 2015, Oracle and/or its affiliates.
```
````


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://zer0verflow.gitbook.io/ecpptv2-notes/2-network-security/anonymity/tunneling-for-anonymity.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.