Whether you are a developer or a security person, you often need to use intranet penetration to do some tests. The easiest way is to use the services provided by ngrok.cc. But if I don’t want to pay and I have a cloud server in my hand, is there any good way?
The answer is yes, we can use ssh remote port forwarding to quickly meet the demand.
Before introducing ssh remote port forwarding, by the way, all the functions of ssh port forwarding will be introduced. Of course, for intranet penetration, use the direct directory and click remote forwarding to jump.
This article has been equipped with a complete video explanation, here jump to the b station video, portal
Directory Structure
Port forwarding
SSH port forwarding can actually be understood as "a tunnel", and its function is to establish a forwarding relationship between a local port and a service on a remote server through a "tunnel" method.
Among them, the ssh connection acts as a tunnel for forwarding service traffic. Of course, this may not be easy to understand. Here is an example to explain its role in detail
1.1, local forwarding
Refers to a local port forwarding initiation request on the machine, the ssh clientupper forwarded to the remote machine. Its commands are as follows:
ssh -L <port_a>:<remote host>:<port_b> user_b@ip_b
What can it be used for? We can imagine a scenario where there is a web service on a remote server that can only be accessed locally. How do we access it?
Perhaps you will answer, open the firewall port, but sometimes, for the sake of security, you are unwilling to expose the port, what should you do?
SSH port forwarding is a relatively simple method. Connecting to this tunnel through SSH will transform your access to the target port of the target server into the target server's own local access.
The hand-drawn schematic diagram is as follows:
port2to port3the channel established through ssh
The commands for establishing the above channel are as follows:
ssh -L <port1>:<ip2>:<port4> user@ip2
Through this command, our computer (ip1) will 127.0.0.1:port1interact with each other through access, which is equivalent to using the identity of ip2 127.0.0.1:port4to access the interactive question
1.2, mysql instance
ssh -L 9099:ip:3306 -Nf root@ip
After entering the password to establish the ssh channel, you can locally, through
mysql -h127.0.0.1 -P9099 -uroot -p
mysqlAccess to the service of the remote server ip
2.1, remote forwarding
Refers to a remote port forwarding request is received on a remote server, the ssh clientforwarding to the local machine specified port. Its commands are as follows:
ssh -R <ip3>:<port_a>:<remote host>:<port_b> user_b@ip_b
What can this function be used for? That’s right, the biggest use is intranet penetration
The principle explanation hand drawing is as follows:
Yes, it is a schematic diagram with the above local forwarding. This time we look at it the other way around. We hope that by accessing the port4 port of the public network ip, we can access a certain service in your local area.
The commands for establishing the above channel are as follows:
ssh -R <ip3>:<port4>:<ip1>:<port1> user@ip2
Through this command, I can then allow ip3 to access the port1 port of my local computer by accessing the port4 port of ip2
But it is worth noting that ssh has security settings, ssh remote port forwarding is not allowed by default, and the settings need to be opened
vim /etc/ssh/sshd_config # ubuntu
# 其他请自行寻找配置文件所在
GatewayPorts yes
# 添加这个配置,有no设置记得删除就好
Of course, there is one more point, if you expose the port to the public network, the firewall must give in and out permissions
2.2. Example description 1
Expose local web services to the public network
ssh -R 0.0.0.0:10090:ip1:80 -Nf root@ip2
All requests to access ip2:10090 will be forwarded to port 80 of your local computer, which is equivalent to that the external network can directly access your local services. This is often used for remote testing. The local testing environment is convenient for others to test.
# 0.0.0.0 表示允许任何ip接入
2.3. Example description 2
burp captures packets, intranet penetration
ssh -R 0.0.0.0:10090:ip1:8080 -Nf root@ip2
Set ip2 to your mobile phone and port 10090 as a proxy. After that, all traffic accessed by your mobile phone will pass through the ssh tunnel of ip2-ip1 to port 8080 of the local computer. The traffic will be captured by burp, and then go to the real destination through the local computer.
# 0.0.0.0 表示允许任何ip接入
3.1, dynamic forwarding
When using a browser to access the internet, the 1080 port of this machine acts as a proxy server, and the browser’s access request is forwarded to sshserver, and sshserver accesses the internet instead
This is very similar to local forwarding, but local forwarding specifies the target server to be accessed, and this one does not
What can this be used for? I know it naturally. I don’t dare to say if I don’t know.
# 命令如下
ssh -D 1080 root@ip
4.1, parameter supplement
Options:
-f # 后台启用,可以在本机直接执行命令,无需另开新终端
-N # 不打开远程shell,处于等待状态,只是搭好了隧道,不ssh上去
Port forwarding maintenance
1. Linux-side processing
No matter which mode is used, when SSH is used for port forwarding, a tunnel needs to be established between the local and remote servers. This kind of connection is unstable. When the network condition is not good, the connection may be interrupted, and autossh can solve this problem
autosshOn sshthe basis of this, a monitoring port is added to prevent ssh sessionexpiration, and can be reconnected to ensure that the connection will not be dropped, which ensures that we sshwill not accidentally lose connection when executing long-running scripts on the remote server.
project address:
https://github.com/islenbo/autossh
For example, I want to perform the function of remote port forwarding, map the local 8080 port to the 10010 port of the remote server, and use the ssh command as follows:
autossh -M 20000 -Nf -R 0.0.0.0:10010:ip1:8080 root@ip2
2. Windows side processing
Parameters can be used directly -o ServerAliveInterval=60
The command is as follows:
ssh -o ServerAliveInterval=60 -Nf -R 0.0.0.0:10010:ip1:8080 root@ip2