Using Alibaba cloud ECS springboard to penetrate the intranet-SSH

This is a creation in Article, where the information may have evolved or changed. Background: A machine that exposes a private network can be accessed by a public network. Because the pit Daddy Telecom does not give the fixed public network IP, therefore cannot configure the public network forwarding on the router. Google on the Internet, found the powerful SSH, a command to take care of. "' Ssh-fngr 2222:127.0.0.1:22 101.37.XX. XX ' ' Command | Meaning---|----R port:host:port | Map the port of the remote machine to local. The first port is the remote server port and the second port is the local PORT,IP address is local Ip-f | Tell the SSH client to run in the background-g | Allow remote host to be remotely accessible, there are pits here, explained below. -N | Do not execute a shell or command. Do not execute scripts or commands, usually with-F. Operating principle: 1, the local host and the remote host to establish a connection; 2, the remote host is assigned a socket listening port port, 3, the remote port has a connection, the connection through the secure channel to the port of the local. Note: Root logs on to a remote host to forward a privileged port. After executing the above command on the intranet machine, Netstat can see the link between the local computer and the remote machine that has SSH established. "' root@ubuntu:~# ssh-fngr 2222:127.0.0.1:22 101.37.XX. XX root@ubuntu:~# netstat-anactive Internet connections (servers and established) Proto recv-q send-q Local Address Foreig N Address statetcp 0 0 127.0.0.1:3306 0.0.0.0:* listentcp 0 0 0.0.0.0:80 0.0.0.0:* listentcp 0 0 0.0.0.0:22 0.0.0.0:* LIST Entcp 0 0 192.168.199.195:22 192.168.199.150:63314 establishedtcp 0 0 192.168.199.195:49118 101.37.xx.xx:22 TIME_WAITtcp 0 0 192.168.199.195:49116 101.37.xx.xx:22 time_wait ' Login remote machine view ' root@izbp13nxv7jnb572cpnkd8z:~# lsof-i: 2222COMMAND PID USER FD TYPE DEVICE size/off NODE namesshd 25903 root 8u IPv4 75873980 0t0 TCP Localhos t:2222 (LISTEN) "" At this time in the remote machine directly ssh to the port 2222, you can access the intranet machine. "SSH 127.0.0.1-p 2222" seems to be OK here, but what we need is a springboard machine. When a different ECS connection is connected to the remote machine, the link is rejected. In fact, the attention is found, the above lsof view, the monitoring is localhost, other machines of course, can not access. However, our SSH parameters are clearly the-G option,-G is explicitly allowed remote machine can access AH. Google found that the operation of the machine's SSH also need to open gatewayports Yes ' #vim/etc/ssh/sshd_config new gatewayports yes#service ssh restart#kill-9 25903 #杀掉远程映射的进程, broken link, process number can be found through Lsof "" and then re-execute the above command in the intranet machine, here on the remote machine to view, listening to the public network Ip,ok. "' root@izbp13nxv7jnb572cpnkd8z:~# lsof-i: 2222COMMAND PID USER FD TYPE DEVICE size/off NODE namesshd 25853 root 8u IPv4 75871893 0t0 TCP *:2222 (LISTEN) "Can now access the intranet machine on a PC with access to the remote machine, SSH port 2222. "SSH root@101.37.xx.xx-p 2222 #实际访问的是内网机器" 194 reads  ∙  1 likes