Pivoting with SSHuttle

You’ve just gained access to a network, you dump the contents of /etc/passwd and /etc/shadow and start password cracking. After about 30 minutes you crack the root password for the device. Using this we can pivot through the network as that device now with dynamic port forwarding with an extremely handy tool called sshuttle.

SSHuttle or sshuttle is an amazing utility for Linux that’s used to dynamically forward ports via a ssh tunnel. It’s incredibly useful when pivoting from one network to another. I used it countless times during PWK labs. I even used it a few times on Hack The Box. On a retired box, Poison, I was first introduced to the concept of forwarding ports with SSH. After the initial “apt install sshuttle” to forward to forward all ports to a remote network it’s as simple as:

sshuttle -r <user>@<network> <remote network><subnet>

Compared to reguarly forwarding ports with SSH this is 100000x easier. For the sake of comparison, dynamically forwarding ports with SSH is slightly different. You basically tunnel all of your traffic through one port in our case, we will use 1337, and you’ll use 1337 as a proxy for all of your traffic. So if you want to use any other service besides HTTP/S it can be quite annoying. Anyways, the syntax is:

ssh -C -D 1337 <IP Address>

Just a reminder if you didn’t pick up on it the first time, you need to proxy all your traffic through the port you select (If you chose something other than 1337). Proxy chains can do this for you, but once again. I prefer SSHuttle as it is much easier!