Tunnel traffic through jump host
Tunnel traffic through a compromised jump host to reach otherwise unreachable internal networks or hosts (pivot). As seen in network penetration testing environments.
prerequisite: access via SSH to jump host.
TARGET1 = jump host ; TARGET2 = jump target
set SSH dynamic port forward,ssh -D1080 root@<TARGET1/>
Check locally that the dynamic port 1080 is listening,netstat -alnp |grep LIST |grep 1080
ProxyChains
Edit proxychains configuration file, /etc/proxychains4.conf (default install on Kali)
Ensure the following line is uncommented in the conf file,localnet 127.0.0.0/255.0.0.0
At the end of the conf file, add the ssh tunnel to the ProxyList as,socks5 127.0.0.1 1080
Now we are able to prefix our commands in the terminal with proxychains and have the traffic routed through the jump host.
For example, to Nmap port scan a jump target in another network,proxychains Nmap -sT -sV <TARGET2/>
note* must use TCP connect (-sT) for best results when scanning through proxychains*.
Browser
To configure the web browser (Firefox) to use the jump host tunnel,
Go to Preferences > Network Settings > Connection Settings
Select Manual proxy configuration
In the SOCKS Host field enter 127.0.0.1 1080 and make sure SOCKSv5 is selected.
Check, web browser traffic should now be tunneled through the jump host.
Burp Suite
To make an instance of Burp Suite use the dynamic SSH tunnel,
Navigate to User Options tab,
In the SOCKS Proxy section, check the “Use SOCKS Proxy” checkbox.
Enter 127.0.0.1 1080 for the host/port fields.
Check, Burp traffic should be tunneled through the jump host.