Tunneling TLS Scans Through SSH

Scanning SSL/TLS configurations is part of every pentesters skillset and an often occurring task. In order to detect some of the issues, for example the use of SSLv2, certain requirements have to be met by the scanning tool. In the mentioned example, it’s that the scanner must have been build with support for SSLv2, since this is disabled by default for security reasons. In other cases, it might be enough to simply update the scanner to the most recent version. This can lead to a problem if you can’t scan a host directly from your machine and have to run the scan from another host.

Building your tools with custom flags or building it to get the latest version from Github is rather easy, but doing the same thing on other hosts each time you can’t scan the target directly is annoying, time consuming and might sometimes not even be possible. Luckily there is an easy way to use your local tools and tunnel them through SSH to the desired target host.

For this scenario we are going to use three hosts, the pentest machine [A], the intermediate server [B], to which we can connect via SSH and the target [C]. A normal scan would go like this.

[A] === sslscan ===> [C]:443

Instead, what I’ve seen fellow pentesters do if they couldn’t reach the target directly, was this.

[A] === SSH ===> [B]:22
[B] === sslscan ===> [C]:443

While this can work, it’s time consuming and not guaranteed to, since you are at the mercy of host [B], a host that might not necessarily be under your full control or which lacks certain tools or repositories. Instead, I prefer to use SSH to open a tunnel between hosts [A] and [B] and let host [B] forward all my requests from [A] to [C], so that I have access to my full arsenal on tools and scripts.

This looks something like this.

[A] === sslscan ===> [A]:9000

This will open a listener on my hosts localhost interface on port 9000 and every request that is sent over this tunnel to [B], will be forwarded to [C]:443.

SSH -L localhost:9000:targethost:443 user@intermediatehost

# or in short, since localhost can be left out.
SSH -L 9000:target:443 user@intermediate

Once the tunnel is established, open a new shell and run the scan against [A]:9000, or localhost:9000.

sslscan localhost:9000

See the images below as an example I made with two virtual machines. The first one, target, only has the internal IP 192.168.56.101, which can be reached only by the second host, intermediate. Since the intermediate host has another interface that I can SSH into from my local machine, I can piggyback on it to scan the targets TLS/SSL configuration.

img-ssh-tunnel-target2intermediate img-ssh-tunnel-scan-localhost

SSH offers a variety of tricks to open connections and tunnel or forward traffic and is definitely worth a look at if you find yourself in at the mercy of your pivot hosts. You can even hop through multiple intermediate servers or use its reverse tunnel capabilities to bypass firewall.