Dynamic Reverse Tunnels in SSH

ET phone home

Did you know this was a thing you could do with SSH? I certainly didn’t until very recently. That’s because it wasn’t a thing until quite recently…

SSH has long been a tunneling protocol. It’s been easy for years to forward ports out from inside of a network, or from outside in. Not only does SSH allow you to use tunneling to forward a single port. You can also use the tunneling to set up a full on socks proxy when you use “dynamic” mode.

These dynamic tunnels are great for pentesting. Say that you need to get access to the inside of a network. If you can SSH into a host on the network perimeter, you can set up a dynamic tunnel to let you forward your traffic from other tools like Nessus or Burp into the network as part of your inbound connection. But what if you can’t get access to any hosts like this?

In the case where there isn’t any option to SSH into the network from outside, you might still sometimes have the ability to get a host inside the network to make a connection out to you. In this case though, a dynamic tunnel doesn’t help as you would be the one running the SSH server. What you need is a way for the client to let you perform a reverse dynamic tunnel back over their inbound connection to you!

There have been a few ways to do this in the past. Certainly all of them have been multi-step and involved setting up some sort of custom proxy, then having the client forward a “remote” port to a local connection back to the proxy set up on the client machine. However as of OpenSSH version 7.6 (Released late 2017) SSH clients may generate dynamic reverse tunnels accessible to the server they connect to.

What’s really cool is that you don’t need to update your server to version 7.6 before this trick will work. As long as the client supports it, the client enforces it when it completes the connection.

So, the next time you’re working a pivot test, and you need a way to get tools from outside a network in, don’t worry about setting up a host on the perimeter, or a complicated proxying solution. Simply update your ssh client, then phone home.

Example command (-R sets dynamic reverse tunnel):

ssh -i ~/ssh/id_rsa -R 2222 root@myjumpbox

P.S. Literally the greatest thing about this, is that it keeps your customers safe. Many custom proxying solutions are “less secure” to say the least. Using this technique, your reverse tunnels are protected by the encryption and authentication of SSH, which is awesome.

#to check ssh version
ssh -V

About the author

Professional hacker & security engineer. Currently at Google, opinions all my own. On Twitter as @zaeyx. Skydiver, snowboarder, writer, weightlifter, runner, energetic to the point of being a bit crazy.

Leave a Reply

Your email address will not be published. Required fields are marked *