Unix jumpbox with SSH access

Introduction

Let's say there is a segregated network that can be only accessed over a jumpbox that has only SSH (port/22/tcp) open and everything else is firewalled. In this case using Nessus and other tools can be tricky, since all of these had to be to be installed on the jumpbox.
Fortunately SSH supports port forwarding out of the box with the -L (local), -R (remote) and -D (dynamic) arguments. Combining these features with the power of the XFLTReaT could make the penetration tester life a lot easier. We are going to make a bridge between the two networks, by running XFLTReaT on the jumpbox and using SSH port forward.

Network

In this example we have:

• a network that is fully segregated (172.16.0.0/12)
• on that network there is a dual-homed Unix box with a running SSH service (172.16.100.10 and 192.168.100.10)
• a penetration tester who has access to the network (192.168.200.20)
• a few other virtual machines on the penetration testers machine - Nessus, etc. (192.168.200.x)

First steps

It is advised to use the local forward option when we log into the server via SSH. That way we will have a listener on the specified port bound to the localhost only. This is considered by secure, because the port will be available from the client only.

ssh user@jumpserver -L1337:127.0.0.1:1337

After we logged in to the box and elevated our privileges to root, the framework (and Python of course) need to be installed and configured. A detailed walkthrough can be found here: Configuring Linux.
The configuration should look like something like this:
PLEASE NOTE THAT MANY THINGS ARE MISSING FROM THIS CONFIG, THIS IS JUST A SNIPPET, CHANGE YOUR CONFIG PROPERLY ACCORDING TO THIS!

[Global]
remoteserverip = 127.0.0.1
overriderouter = 192.168.100.10

[Authentication]
module = saltedsha512
key = RANDOM_GENERATED_SECURE_AND_LONG_PASSPHRASE

[Encryption]
module = none

[TCP_generic]
enabled = yes
serverport = 1337

The server will use the TCP module which will listen on the 127.0.0.1/localhost of the jumpbox on the port 1337. This port is already forwarded by the SSH, so there is no need to downgrade our throughput by using the framework's encryption module, SSH will take care of the encryption. Authentication is not necessary but it is nice to have, so a long passphrase should be set.
The most important option here is the overriderouter, which overrides the route change and will set this IP as the gateway to the jumpbox. This value always needs to be the accessible IP of the jumpbox.

Execution

If the SSH port forward was set up properly and the XFLTReaT server is running on the jump box, then by using the same configuration on the penetration tester's machine, it should be able to connect to the server. Packets are forwarded only if the iptables rule and the ip_forward sysctl value were set on the jump box.
Now all IPs and services in the segregated network should be accessible from the penetration tester's machine.

Using Nessus and other tools

The most convenient way to use XFLTReaT with other tools such as Nessus, is to set the client machine as a router. On the box where the framework runs as client, the following commands should be executed in advance:
# sysctl -w net.ipv4.ip_forward=1
# iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o eth0 -j MASQUERADE
The IP range and the interface should be changed if those are not matching the configuration.

By setting these settings, the penetration tester machine will act as a router, so all computers that are on the same network could use it to forward packets. It is highly advised to deny all packets with some firewall rules except from those machines that are supposed to use that functionality (like Nessus).

On the Nessus or other virtual machines, the default route should be replaced with the IP of the client machine.
# route del default
# route add default gw 192.168.200.20

Nessus will route everything through the client machine, which will route everything through the bridge via the SSH to the segregated network.

Hint: because the bridge is NAT'd, it is highly advised to execute port scans from the jump box and do all other testing from the penetration tester machine (client).