Pivot & Tunnel
Host -> EC 2 Instance -> VDI -> Target Domain
Socks 5
- Start Chisel on the EC2 instance in server mode
- Start chisel in client mode in the VDI machine
- Port forward local port 9001 on your host to port 1080 on the EC2 instance >host : 9001 --> ec2 : 1080
N.B. I am not sure if administrator privelleges are required.
4. Configure burp suite to use a socks proxy on your host
Port forwarding
- Install SSH Client on the VDI windows machine with the required capabilities.
-
Permit low privelleged users to bind to lower range ports (1-1024) on the EC2 instance. The admin user which is not root on the ec2 instance won't have the permission to bind to port 443 when remote port forwarding later on in this tutorial.
-
Modify the
/etc/sshd/sshd_config
on the EC2 instance to keep connections alive regardless of how inactive they are. uncomment the following in the sshd_config file.
- Add host file entries that map the target domain to 127.0.0.1 to:
- EC 2 Instance host file
- Host hosts file
Example host file
- Set up a remote port forward to port 443 on the EC 2 instance from the VDI machine
ec2 :443 --> target:443
- Set up a Local port forward from the host to the ec2 instance
host : 443 --> ec2 : 443
NAT to NAT
TBD, I have not tested this yet.
Wireguard
Tailscale
Tailscale is a modern VPN built on top of Wireguard. It works like an overlay network between the computers of your networks - using NAT traversal.
Everything in Tailscale is Open Source, except the GUI clients for proprietary OS (Windows and macOS/iOS), and the control server.
The control server works as an exchange point of Wireguard public keys for the nodes in the Tailscale network. It assigns the IP addresses of the clients, creates the boundaries between each user, enables sharing machines between users, and exposes the advertised routes of your nodes.
A Tailscale network (tailnet) is private network which Tailscale assigns to a user in terms of private users or an organisation.
Headscale
headscale
aims to implement a self-hosted, open source alternative to the Tailscale control server. headscale
has a narrower scope and an instance of headscale
implements a single Tailnet, which is typically what a single organisation, or home/personal setup would use.
headscale
uses terms that maps to Tailscale's control server, consult the glossary for explainations.
References
Allow non-root process to bind to port 80 and 443? Windows - Port forwarding using SSH How to use Windows 10/11 SOCKS5 Proxy Settings SSH Socks and Burp
SShuttle
To use sshuttle with JumpHost make sure the ~/.ssh/config
is configured correctly. Checkout [[Infrastructure Pen test/SSH (22)#Config File Sample for jumphost]]