From Stu2
Jump to navigation Jump to search

Some quick notes about using SSH. Setting up a simple tunnel allows you to reach things behind a firewall, but requires cooperation from the FW admin. Using a Man in the middle tunnel gets around this limitation.


Basic Tunnel

Use this to create a tunnel between you and a remote machine. A port on the local computer will connect to a port on the remote.

Host pops
  port 22
  user speed
  LocalForward 5000 localhost:80
ssh -f -N -g -L [email protected]"

or to keep the tunnel alive, use autossh

autossh -N -f pops

Simple Tunnel

Use this method to access remote computers behind a firewall and NAT device. The remote laptop opens a SSH connection to the firewall. Then, the tunnel forwards the ports to the internal computers.

Laptop -> (Internet) -> FW/NAT( -> trixie(internal, -> inspector_detector(internal,
  • Run sshd on trixie
  • Run web server on trixie and inspector_detector (example, could be any service and/or IP behind FW)
  • Allow port 22 on the firewall
  • Edit ~/.ssh/config on the laptop as follows:
Host pops
        port 22
        User speed
        LocalForward 3333
        LocalForward 3334

Then, open a ssh session from the laptop to the remote end:

ssh pops

In a browser on the laptop, retrieve the remote web page:


Using Keys

On the client (local PC) enter the following command and take all the defaults.

cd ~/.ssh

Add your identity locally


Copy the public key to the remote computer. Note, if this is the only computer authorized to connect, you may need to copy the file and concatenate the key to the existing authorized_keys file.

scp [email protected]:/home/user/.ssh/authorized_keys

SSH - Man in the middle tunnel

This allows you to use a man in the middle to circumvent a firewall, where the administrator won't poke any holes or configure port address translation. It requires the firewall allow outgoing connections. (Note - if port 22 isn't allowed, you can use a different port for the tunnel.) Here's a diagram.

trixie -> NAT -> INET -> racerX <- INET <- laptop

Goal: provide a way to reach trixie from the Internet. Trixie is located behand a NAT device and we don't control the NAT/FW.

Solution: Use SSH to set up a reverse shell.

Set up RacerX - the middle man

On racerX, the middleman, make sure the following is added to the /etc/ssh/sshd_config file:

TCPKeepAlive yes
ClientAliveInterval 30
ClientAliveCountMax 99999
GatewayPorts yes

Make sure port 22 (or whatever racerX is listening on) is opened to the outside.

Set up Trixie - the ultimate target

On trixie, set up ssh to connect to the middle server (i.e. racerX). Use ssh-keygen on trixie. Copy the public key ( to racerX and add to /home/user/.ssh/authorized_keys on racerX. Then open a reverse shell by executing the following on trixie:

ssh -f -NR 3333:localhost:22 [email protected] -p 22


edit and chmod 6000 /home/user/.ssh/config
host tunnel
   Hostname racerX (or IP address)
   Port 22
   RemoteForward 3333 localhost:22  -> links port 3333 to port 22 on the local host
   RemoteForward 3334 chim-chim:80  -> links port 3334 to port 80 (web) on another host behind the NAT device


ssh -f -N tunnel

At this point, you should be able to test the reverse shell on racerX. Issue this command on racerX and you should get a username/password prompt on trixie. This basically starts a ssh session of the tunnel.

ssh localhost -p 3333

You will need a method of ensuring the reverse tunnel (ssh -f -N tunnel) stays active. (e.g. script in the crontab) If this tunnel (trixie->racerx) goes down, you won't be able to use it. Since trixie is behind the firewall, you won't have any way to manually restart the tunnel.

Set up the Laptop - using tunnel

Then on the laptop:

edit and chmod 6000 /home/user/.ssh/config
host tunnel
   Hostname racerX (or IP address)
   Port 22
   LocalForward 2022 racerX:3333
   LocalForward 2080 racerX:3334

and ssh -f -N tunnel

This opens up the tunnel from the laptop to the middleman (racerX) and exposes ports 3333 and 3334 to your laptop. So now, on your laptop, you do the following:

ssh localhost -p 2022 -> connects you to trixie via ssh


use a web browser: http://localhost:2080/ -> gets a web page from chim-chim.

Putty and VNC

Create a standard putty session. Under SSH/Tunnels,add a tunnel. Source port 5901. Destination IP:5900. Press ADD.

Under VNC Viewer, connect to localhost:1.


ssh -f -L 5900:localhost:5900 [email protected] -p port x11vnc -safer -localhost -nopw -once -display :0 && sleep 5 && vncviewer localhost:0

Note, if the user is NOT logged in, then you have to do things in steps. I found the instructions here:

First, open a terminal, then:

ssh IPADDRESS -l user -p PORT   
sudo x11vnc -safer -localhost -once -nopw -auth /var/lib/gdm/:0.Xauth -display :0

Second, open another terminal, then:

ssh -L 5900:localhost:5900 [email protected] -p PORT

Third, open another terminal, then:

vncviewer localhost:0


To get x11vnc to work with mdm,

You have to store a password first:

x11vnc -storepassword /etc/x11vnc.pwd

Then add this line to the end of /etc/mdm/Init/Default. (before the exit command)

nohup x11vnc -repeat -auth /var/lib/mdm/:0.Xauth -shared -no6 -forever -nolookup -rfbauth '/etc/x11vnc.pwd' -o /var/log/x11vnc.log 2> /dev/null 1>&2 &

Note, you can run the x11vnc command in SSH, if it wasn't installed in the mdm file. Just like the in the sections above.

If something screws up, you can remotely log out a user running MATE like this:

DISPLAY=:0 mate-session-save --force-logout

This will logout the user, which executes the mdm script again - saving you from requiring a reboot of the remote computer.