Friday, 28 September 2012

rssh - reverse secure shell

Sometimes we want what seems impossible, we want to access machines in private networks. The problem is that these machines are behind a NAT device, and therefore do not have a public IP address. In these cases, what we need is a reverse shell.

But there's a catch: we don't want a simple shell, we want a standard encrypted connection: an ssh connection.

Let's consider the following machines:
- a public machine: myhost.example.com
- a machine behind NAT: 10.0.0.1

We want to connect from myhost.example.com to 10.0.0.1. Because it is behind NAT, it does not have a public IP address and therefore we can not ask it for a connection.

However, with a little help from 10.0.0.1, we can do it. At 10.0.0.1 we do:

ssh -N -R 2222:localhost:22 me@myhost.example.com


This will create a tunnel-only connection to the public machine, with a reverse tunnel from the 2222 public machine port to the 22 port of 10.0.0.1.

This means that any packets going to port 2222 of the public machine will reach port 22 of 10.0.0.1, which is exacly what we need to start an ssh connection.

Because of this cool reverse tunnel, now we can connect to 10.0.0.1 by doing the following at the public machine:

ssh -p 2222 me@localhost