Goodbye to Constrained Environments

When conducting internal penetration tests, you may find yourself in different situations. One of these scenarios involves the client setting up a dedicated testing machine for you, represented in hot pink, which restricts your internet access and limits the tools available for use. This post focuses on this type of situation and offers a solution to overcome these limitations.

Running port scans without familiar tools like nmap or using custom scripts can be challenging in such constrained environments. Moreover, spending hours on compiling and transferring dependencies to the new testing machine is far from ideal.

However, you have a few options to improve your testing experience:

  1. Ask your client to install your preferred tools or image, but this could extend the engagement timeline significantly.
  2. Utilize SSH forwarding, an older method that can quickly become cumbersome when dealing with multiple services and machines.
  3. Use sshuttle!

Luckily, there's a better solution: sshuttle.

Sshuttle streamlines the tedious process of SSH port forwarding by enabling specific traffic to be tunneled through the hot pink server, acting as a gateway to your target network. It provides the ability to tunnel through all TCP ports, offering a blend of VPN and port forwarding functionalities.

To get started, simply install sshuttle on your local machine with a straightforward sudo pip install sshuttle command.

For the engagement illustrated in the diagram, use the following command:

sshuttle -r [email protected] 172.16.0.0/16

The command will prompt you to enter the credentials for the hot pink server (172.16.0.1), and that's all you need to do!

Now, from your local machine (green), you can launch any tool or browser. Just input the target IPs of the blue target network (172.16.0.0/16), and sshuttle takes care of the rest, routing all traffic to the target network through the pink machine, without any additional effort on your part.

The beauty of this approach is that it frees you from the constraints of the provided environment. Whether you're using Linux, macOS, or Windows on your local machine, sshuttle empowers you to test without any limitations.

The only requirement is that python 3.8 (or greater) is installed on the gateway (hot pink) machine. Plus, you don't need root access, which proves to be incredibly useful when pivoting through other networks and owning some of the target boxes.

As a matter of professional courtesy always inform your client about the tools you intend to use, whether it is sshuttle or SSH port forwarding.

Spend less time networking and more on testing!