// notes/ Pivoting & Tunneling
🚀

Pivoting Sshuttle

SSHuttle creates a tunneled proxy that acts like a new interface, simulating a VPN, allowing us to route our traffic through the proxy without the use of[ proxychains](/post-explo…

#post exploitation#adot8
source · oscp.adot8.com · post-exploitation/pivoting_sshuttle

SSHuttle

SSHuttle creates a tunneled proxy that acts like a new interface, simulating a VPN, allowing us to route our traffic through the proxy without the use of proxychains, all using ssh so the connection is encrypted.

{% hint style="info" %} sshuttle only works on Linux machines, python needs to be installed (uploading a python binary is possible) AND you need SSH access to the machine {% endhint %}

Open a tunnel using sshuttle

bash
$sshuttle -r username@address subnet
$sshuttle -r user@172.16.0.5 172.16.0.0/24

Use -N to get sshuttle to automatically determine the subnets the machine is on using the servers routing table (doesn't always work).

bash
$sshuttle -r user@172.16.0.5 -N

Connect back using a key file

<pre class="language-bash"><code class="lang-bash"><strong>sshuttle -r user@172.16.0.5 --ssh-cmd "ssh -i private_key" 172.16.0.0/24 </strong></code></pre>

If the following error ever occurs we can get around it by excluding the compromised server out out the subnet we wish to forward to

bash
$client: Connected.
$client_loop: send disconnect: Broken pipe
$client: fatal: server died with error code 255
bash
$sshuttle -r user@172.16.0.5 172.16.0.0/24 -x 172.16.0.5