Lets say you have 3 host in the scenario:
- corp-server
- a host inside of the target network, which can reach a public host via ssh
- public-host
- this is the hub of the backdoor connections, the targeted corp-server and your home laptop both connects to here. it can be even a desktop in your home just make sure the firewall/router allow access to ssh. or you can start up an amazon ec2 instance for this reason
- home-laptop
- your personal laptop at home (or everywhere, like in an internet cafe) where you want to have access to corp-server
Punch the hole in corp network
The main trick is that you punch a hole of the target system by opening an ssh connection from inside to a public available host.
# you do this on corp-server
ssh -i my_key -R 2222:localhost:22 myself@public-host
Note that to be able to connect to public-host:2222 you need to be root on public-host and make sure that /etc/ssh/sshd_config
...
# No ListenAddress is defined
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
...
# this allows remote hosts to connect to remoteForwarded ports
GatewayPorts yes
If you made changes in sshd_conf, you have to restart the ssh daemon:
sudo /etc/init.d/ssh restart
to check that public-host:2222 accept connection run netstat:
> netstat -na|grep 22
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN
now you have a socket listening on public-host:2222 which is in reality corp-server:22
connect to the backdoor
the other part of trick is to connect to this backdoor from any computer, let's say from your home laptop:
# you do this from home-laptop
ssh -i corp_key -L 8080:corp-confluence:80 -p 2222 corp-user@public-host
Tada! Now if you open up a browser at http://localhost:8080 it will be equivalent to http://corp-confluence:80
playing with ports and hostnames
now if you want to use the same privileged port (ie 80) on your laptop, you will need to do it as root:
# you do this from home-laptop
sudo ssh -i /fullpath/to/corp_key -L 80:corp-confluence:80 -p 2222 corp-user@public-host
Now if you want to use the exact same url http://corp-confluence at home, all you need is to add this line to your /etc/hosts
127.0.0.1 corp-confluence
multiple forward to the same port?
How about if you want to froward several service which are using the same ports. Let say you want to be able to use http://corp-confluence and http://corp-jira at home?
the first trick is to add an alias to the loopback address.
sudo ifconfig lo0 alias 127.0.0.2/32
now you have 127.0.02 additionally to 127.0.0.1. So we will use:
The new ssh line will be:
# you do this from home-laptop
sudo ssh -i /fullpath/to/corp_key -L 127.0.0.1:80:corp-confluence:80 -L 127.0.0.2:80:corp-jira:80 -p 2222 corp-user@public-host
and you need a new line in /etc/hosts as well:
127.0.0.1 corp-confluence
127.0.0.2 corp-jira
Tada! now you can reach both http://corp-confluence and http://corp-jira from home. all your bookmarks, saved passwords will work just like at work.
Back at work
if you are doing all this on your laptop and next time you want work from inside,
make sure you comment out those 127.0.0.x lines in /etc/hosts