Tag Archives: firewall

Quick and dirty NAT/Firewall bypass using SSH and ngrok

If you have a system that is behind a router/gateway/firewall device that you cannot poke holes in and you want to expose your system to the WAN, I recommend you check out ngrok. You can make a free account, download, and use the tool for free as well (with some limitations).

Once you have followed the simple instructions here, you can then put the ngrok executable into your $PATH (or %PATH%).  Provided if you have ssh listening on port 22 on your system that you’re trying to expose to the WAN, you can then simply run the following command: ngrok tcp 22. The output might look something like this:

Version 2.2.8
Region United States (us)
Web Interface http://127.0.0.1:4040
Forwarding tcp://0.tcp.ngrok.io:15551 -> localhost:22

Connections ttl opn rt1 rt5 p50 p90
0 0 0.00 0.00 0.00 0.0

The beautiful thing about this is that you can see forwarding location by logging into your ngrok.com account and going to status. So this means you could script ngrok (via rc.local, shell:startup, crontab, etc…) to connect out on a regular basis and find the new forwarding location by going to your status page on ngrok.com. The port from my experience is dynamic and changes, but interestingly enough you have to remember to be careful, I was able to find other ssh servers and open ports by scanning  port ranges on 0.tcp.ngrok.io.

Want to access the internal network using a browser? No problem! In this instance you would simply do: ssh -D 8000 username@0.tcp.ngrok.io -p 15551 and then set your browser to use your socks5 proxy on 127.0.0.1 8000.

There are other similar services like like portmap.io and openport.io, but so far I like ngrok the best.

 

 

An update: Just a bunch of random thoughts

Things I’ve taken note of over the past months:

1.) Finding ‘too much information’ (even when it’s public information) on a company can scare HR people, go figure.

2.) Linksys routers that are compatible with DD-WRT or the like, are great for being used as pivot points in networks. For example, if you’re able to to gain access to a router that is DD-WRT compatible and you can get SSH up and running on it, you’ve opened up a lot of opportunities.

One opportunity would include scanning the internet network using proxychains and nmap over an SSH tunnel. You could also use proxychains and nikto to scan web servers that are in the associated network with the DD-WRT compatible router.

You can also setup a private second WLAN network on the DD-WRT compatible router to have a sense of secure access to the network you’re penetrating. Using DD-WRT as a penetration tester, really opens up your possibilities.

3.) http://ipq.co rocks, ‘nough said. 🙂

4.) Being able to boot up a live Linux distro on a victim machine, use bhive, samdump2 (like this tutorial http://www.irongeek.com/i.php?page=security/localsamcrack2), to extract password hashes and then do ‘Pass the hash attacks’ via metasploit (like shown here: http://securitytube.net/Metasploit-Megaprimer-Part-16-(Pass-the-Hash-Attack)-video.aspx) is incredibly cool.

5.) The Nmap scripting engine rocks: http://securitytube.net/Mastering-the-Nmap-Scripting-Engine-(Blackhat-2010)-video.aspx

6.) Did you know you could install Nmap silently on a Windows machine? (Yes, it will also install winpcap.)
nmap-5.35DC1-setup.exe /S

7.) Other cool apps to install ‘silently’ using msiexec on Windows machines:  (msiexec /i appname.msi /q)
http://www.python.org/download/releases/2.5/
http://www.activestate.com/activeperl/downloads

8.) The concepts of SSH reverse connections and port forwarding make me elated: http://www.securitytube.net/Hacking-through-the-Windows-Firewall-using-Metasploit-video.aspx

More to come as usual…