I’ve recently been using sshuttle again, and I wanted to share how easy it is.
sshuttle – Introduction
Per the GitHub repository, sshuttle is a, “Transparent proxy server that works as a poor man’s VPN. Forwards over ssh.”.
This has been a great tool for not only a pseudo-VPN, but also to greatly simplify network pivoting.
First, to install the application, clone the repository.
root@kali:~/tools# git clone https://github.com/sshuttle/sshuttle Cloning into 'sshuttle'... remote: Counting objects: 2612, done. remote: Compressing objects: 100% (8/8), done. remote: Total 2612 (delta 2), reused 4 (delta 2), pack-reused 2602 Receiving objects: 100% (2612/2612), 1.09 MiB | 0 bytes/s, done. Resolving deltas: 100% (1618/1618), done. Checking connectivity... done. root@kali:~/tools# cd sshuttle root@kali:~/tools/sshuttle# ls bandit.yml conftest.py LICENSE README.rst run setup.py tox.ini CHANGES.rst docs MANIFEST.in requirements.txt setup.cfg sshuttle
Next, run the Python setup and allow it to complete.
root@kali:~/tools/sshuttle# python setup.py install running install running bdist_egg running egg_info ... Processing dependencies for sshuttle==0.78.4.dev47+g884bd6d Finished processing dependencies for sshuttle==0.78.4.dev47+g884bd6d
With sshuttle installed, execution is also incredibly simple.
For basic proxy execution, you just need to specify the remote user/server with -r and then the subnet (in this case, 0.0.0.0/0 for all traffic).
root@kali:~/tools/sshuttle# sshuttle -r firstname.lastname@example.org 0/0 The authenticity of host 'doyler.net (220.127.116.11)' can't be established. ECDSA key fingerprint is SHA256:BMLJjcXWsYSzkeBeW17+bWZx9hoa2ylQVpS8NnywqWQ. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'doyler.net,18.104.22.168' (ECDSA) to the list of known hosts. email@example.com's password: client: Connected.
With the client connected, all of our traffic is now being invisibly proxied.
To test this, I just ran a quick HTTP methods check.
root@kali:~/tools/sshuttle# nmap -sT --script http-methods -p 80 -Pn r4y.pw Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2018-03-16 11:33 PDT Nmap scan report for r4y.pw (22.214.171.124) Host is up (0.00051s latency). PORT STATE SERVICE 80/tcp open http | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS Nmap done: 1 IP address (1 host up) scanned in 0.80 seconds
As you can see in my access.log, these requests were coming from doyler.net (126.96.36.199) instead of my home IP address.
188.8.131.52 - - [16/Mar/2018:18:34:41 +0000] "OPTIONS / HTTP/1.1" 200 181 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 184.108.40.206 - - [16/Mar/2018:18:34:41 +0000] "IRBT / HTTP/1.1" 501 490 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
I also like to include the –dns flag if I’m using it as a VPN, as this forwards all DNS requests to the remote server. This is great to prevent some local network attacks.
For more information about more flags, you can visit the documentation.
Ssshuttle is a great application, and I was glad to see that it got forked and updated from apenwarr’s original version.
I used it a lot in my OSCP labs as well, to make some pivoting exercises a little easier.
For another example of pivoting with it, I recommend the following blog post.