SShuttle

Limitations

• sshuttle only works on Linux targets.

• It also requires access to the compromised server via SSH, and Python also needs to be installed on the server.

• That said, with SSH access, it could theoretically be possible to upload a static copy of Python and work with that.

sudo apt install sshuttle

• The base command for connecting to a server with sshuttle is as follows:

sshuttle -r username@address subnet 

• For example, in our fictional 172.16.0.x network with a compromised server at 172.16.0.5, the command may look something like this:

sshuttle -r [email protected] 172.16.0.0/24

• We would then be asked for the user's password, and the proxy would be established.

• The tool will then just sit passively in the background and forward relevant traffic into the target network.

• Rather than specifying subnets, we could also use the -N option which attempts to determine them automatically based on the compromised server's own routing table:

sshuttle -r username@address -N

• If this has worked, you should see the following line:

c : Connected to server.

Key Authentication

• So, when using key-based authentication, the final command looks something like this:

Errors

• When using sshuttle, you may encounter an error that looks like this:

• This can occur when the compromised machine you're connecting to is part of the subnet you're attempting to gain access to.

• For instance, if we were connecting to 172.16.0.5 and trying to forward 172.16.0.0/24, then we would be including the compromised server inside the newly forwarded subnet, thus disrupting the connection and causing the tool to die.

• To get around this, we tell sshuttle to exclude the compromised server from the subnet range using the -x switch.

• To use our earlier example:

Connect to Target Network Through Pivot Host