-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathSSH_tunneling_for_internalPen.sh
More file actions
79 lines (64 loc) · 2.97 KB
/
SSH_tunneling_for_internalPen.sh
File metadata and controls
79 lines (64 loc) · 2.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#!/bin/bash
#Author: Ellery Weber
#Modified by Zach Johnson
# Usage function
usage() {
echo -e "This script sets up SSH tunnels that are useful during internal penetration testing engagements in which a remote "rogue device" is placed inside the target network and the tester needs to access services on the remote host and/or use proxychains to pivot through the remote host to access other hosts in the target network.\n"
echo -e "Usage: $0 hostname.domain.com [-U <remote_user>] [-O <remote_outbound_via_local_socks_port>] [-I <local_into_remote_network_via_local_socks_port>] [-N <nessus_port>] [-R <remote_into_local_port>]\n"
echo "The remote hostname must be the first argument, followed by optional arguments in any order."
echo "Default options are:"
echo " -U <remote_user>: Remote SSH username (default: root)"
echo " -O <remote_outbound_via_local_socks_port>: REMOTE outbound traffic THROUGH LOCAL SOCKS proxy port (default: 9050)"
echo " -I <local_into_remote_network_via_local_socks_port>: LOCAL proxy port to access REMOTE network (default: 9999)"
echo " -N <nessus_port>: Local port to access remote Nessus (default: 8834)"
echo " -R <remote_into_local_port>: Port for REMOTE to access a specific LOCAL service via 1 to 1 port tunnel, which as a python web server hosted on LOCAL (default: 8000)"
exit 1
}
# Default ports
O_PORT=9050
I_PORT=9999
N_PORT=8834
R_PORT=8000
# Default remote user
R_USER=root
# Check if the hostname argument is provided
if [ -z "$1" ] || [[ "$1" =~ ^- ]]; then
echo "Error: Hostname is required as the first argument."
usage
fi
R_HOST=$1
shift
# Parse optional arguments
while getopts "O:I:N:R:U:" opt; do
case ${opt} in
O) O_PORT=$OPTARG;;
I) I_PORT=$OPTARG;;
N) N_PORT=$OPTARG;;
R) R_PORT=$OPTARG;;
U) R_USER=$OPTARG;;
*) usage;;
esac
done
# Function to check SSH command success
run_ssh_command() {
"$@"
if [ $? -ne 0 ]; then
echo "Error: Command failed - $@"
exit 1
fi
}
# Run the SSH commands with error checking
echo -e "\n\n***Prepare to paste the SSH account and/or key password multiple times***"
# Allow the remote host to proxychains through localhost
echo -e "\nCreating SSH tunnel to allow proxychains out of the client network through localhost:"
run_ssh_command ssh -fND $O_PORT root@127.0.0.1
run_ssh_command ssh -fNR $O_PORT:localhost:$O_PORT $R_USER@$R_HOST
# Allow proxychains to access the remote host
echo -e "\nCreating SSH tunnel to allow proxychains to access the remote network:"
run_ssh_command ssh -fND $I_PORT $R_USER@$R_HOST
# Map the remote nessus 8834 port to the local 8834 port
echo -e "\nCreating SSH tunnel to map remote nessus port to local port:"
run_ssh_command ssh -fNL $N_PORT:127.0.0.1:$N_PORT $R_USER@$R_HOST
# This can be used if you need to let the remote host access a local service
# As this is not a common use case, it is commented out
#run_ssh_command ssh -fNR 127.0.0.1:$R_PORT $R_USER@$R_HOST