Categories

Archives

Kali Linux, Penetration Testing

Bypass SSH Restriction by Port Relay

Today we are going to access the ssh port which is blocked by the firewall and is forwarded to another port through Port relay tool. Netcat relay is quite a useful tool to connect with any remote system by evading the firewall restriction.

Attacker: Kali Linux (IP: 192.168.1.2)

Victim: Ubuntu Server (IP: 192.168.1.7)

Connect to SSH via port 22

Lets first try to get the normal SSH shell.  As you can see in the given screenshot we successfully get the ssh shell on the port 22 of the Server 192.168.1.7.

ssh pavan@192.168.1.7

Block Port 22 for Incoming TCP Packet

Now let’s block SSH service Port 22 for Incoming TCP Packet using Iptables. Here we are making an inbound rule to block the TCP packets on the port 22 if the packet source is Kali (192.168.1.2)

iptables -A INPUT -s 192.168.1.2 -p tcp --dport 22 -j DROP

After Blocking the port let’s try to get a shell. From given below image you can observe that we got a Connection Time Out Error as the packets are dropped by the firewall.

Allow TCP Packets on another port

Now let’s make a rule in the firewall to accept the TCP packets on the port 4444 if the packet source is Kali (192.168.1.2).

iptables –I INPUT 1 –s 192.168.1.2 –p tcp --dport 4444 –j ACCEPT

Check Netcat communication between Attacker and Client

Let’s check if we can get a netcat session on the port 4444 to the Kali (192.168.1.2).

nc –v –l –p 4444

nc 192.168.1.7 4444

As you can see in the given Image that we have received a netcat session on the port 4444 from SSH server on the Kali (192.168.1.2).

Use Netcat Relay backpipe to access SSH service

Now we will have to make a Relay. But first, let’s understand, what the commands depicted below do?

The First command makes a special type of file called a FIFO or named pipe. We call it backpipe because it is going to carry our responses back through the relay.

Now the second command makes a netcat listener that is allowed through the firewall. This Netcat listener will connect its standard input (0<) to the backpipe. We then forward the standard output of this Netcat listener to Netcat client, which connects to our localhost (127.0.0.1) on TCP port 22 where sshd listens. We then use the forward pipe (1>) to send data and receive responses simultaneously. We need a back and forward pipe because Netcat provides two-way communication.

mknod /tmp/backpipe p

Here,

[p]: Tells the mknod to create a FIFO

nc –l –p 4444 0</tmp/backpipe | nc localhost 22 1>/tmp/backpipe

Here,

[-l]: Listener

[-p]: Port

Access SSH through Netcat Relay

Now let’s try to connect the ssh connection through the port 4444.

ssh pavan@192.168.1.7 –p 4444

Here,

[-p]: To specify Port

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

3 thoughts on “Bypass SSH Restriction by Port Relay

  1. Hi,

    Im not sure to get this, you are running commands on the victim’s machine in order to gain access to it?

    How are you supposed to run the below commands on the victim if you do not yet have access to it?
    commands:
    mknod /tmp/backpipe p
    nc –l –p 4444 0/tmp/backpipe

    And in the case where you already have access to the victim’s machine, why would you be evading the firewall?

    Im not sure i see the used case, plz explain.

    Thank you

  2. This is an example. We are not sure that our victim have configured hist host like this. The purpose is to find how the admin gain acces and we try to do the same method

  3. For example i have an host with this config :
    23 filtered telnet
    80 filtered http
    443 filtered https
    49153 open unknown

    How can i do to gain acces on this machine ?

Comments are closed.