Govur University Logo
--> --> --> -->
Govur University Logo
Sign In
...
Home All Courses Engineering and Technology Courses Offensive Security Certified Professional (OSCP) Flashcard

When you use a compromised computer to reach hidden services inside a network, what specific SSH trick lets your own computer connect to those services as if they were local?



The specific SSH trick that lets your own computer connect to hidden services inside a network, as if those services were local, is called SSH Local Port Forwarding. SSH, or Secure Shell, is a cryptographic network protocol that allows for secure remote access to computers. When you use SSH Local Port Forwarding, you create a secure tunnel from a port on your local computer to a specific destination (an IP address and port) that is only accessible from the compromised computer. The compromised computer acts as an intermediary, forwarding traffic through this tunnel.

Here is how it works: You instruct your local SSH client to listen on a particular port on your own machine. For example, if you want to access a hidden web service running on `10.0.0.5` on port `80` from within the compromised network, and the compromised computer's IP address is `192.168.1.100`, you would initiate an SSH connection to the compromised computer with local port forwarding enabled. Your SSH client creates a listening port, say `8080`, on your local computer. Any network traffic sent by your applications to `localhost:8080` is then captured by your SSH client, encrypted, and sent through the secure SSH tunnel to the compromised computer. Once the encrypted traffic arrives at the compromised computer, the SSH server on that machine decrypts it and then forwards it to the actual hidden service located at `10.0.0.5:80` within its internal network. The responses from the hidden service travel back through the same SSH tunnel to your local machine, where they are then delivered to the application that initiated the request. This entire process makes the hidden service appear as if it is running on your own computer at `localhost:8080`, because your applications never directly connect to the remote compromised machine or the hidden service; they only interact with your local port. The SSH tunnel transparently handles the redirection and security. An example command for this would be `ssh -L 8080:10.0.0.5:80 user@192.168.1.100`, where `-L` specifies local port forwarding, `8080` is the local port, `10.0.0.5:80` is the hidden service's address and port relative to the compromised machine, and `user@192.168.1.100` is the user and IP address of the compromised computer.