reverse ssh tunnel, why it gets ipv6 address? - ssh-tunnel

I have two machines
ssh Machine1-IPv4
ssh -R 15:localhost:15 Machine2-IPv4
On the Machine2-IPv4, I can run
telnet ::1 15
netstat -ptln | grep 15 shows
tcp6 ... ::1:53 ...
However, I need an IPv4. What causes the IP to be IPv6?

Related

Why is my SSH tunnel from Windows not working and why am I getting verbose output related to Kubernetes?

I set up an ssh tunnel from my windows 10 machine to a linux box over port 5001. I set up a netcat listener on the linux box and verified it is listening correctly by sending a message to it from the local linux box. I've set up an ssh tunnel using Putty (which I've done a million times) from my Windows box to the linux box over port 5001. When I run netcat on my windows machine to send a message in verbose mode:
nc -vvv 127.0.0.1 5001 < message.txt
The connection just times out and I get the message:
kubernetes.docker.internal [127.0.0.1] 5001 (?) open
The only thing I can think of that this would be related to is that I recently installed "Docker Desktop For Windows". I don't know why netcat would be going through Docker, but it seems like it may be a Docker related issue. Any ideas on how to resolve this problem would be appreciated.
If I disable all of the entries related to kubernetes/docker in the hosts file and re-run the command I get:
myhost.mydomain.com [127.0.0.1] 5001 (?) open
I can see that port 5001 is being listened to on my windows machine because when I do a "netstat -an" I can see it:
TCP 127.0.0.1:5001 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5001 0.0.0.0:0 LISTENING
TCP [::1]:5001 [::]:0 LISTENING
TCP [::1]:5001 [::]:0 LISTENING
This is not the exact answer to your question, but I sure it will guide you to fix your ssh tunnel issue.
you can stop the ssh tunnel and try netstat to find out what service using the port 5001
for the example I have list / grep all the connections for localhost:
C:\Users\myuser>netstat -ano | findstr "Proto" && netstat -ano | findstr "127.0.0.1"
Proto Local Address Foreign Address State PID
TCP 127.0.0.1:54235 127.0.0.1:62522 ESTABLISHED 11280
TCP 127.0.0.1:54451 127.0.0.1:54452 ESTABLISHED 12300
TCP 127.0.0.1:54452 127.0.0.1:54451 ESTABLISHED 12300
TCP 127.0.0.1:55337 0.0.0.0:0 LISTENING 6976
TCP 127.0.0.1:57147 0.0.0.0:0 LISTENING 13432
TCP 127.0.0.1:62522 0.0.0.0:0 LISTENING 4084
TCP 127.0.0.1:62522 127.0.0.1:54235 ESTABLISHED 4084
UDP 127.0.0.1:1900 *:* 12672
UDP 127.0.0.1:50292 *:* 832
UDP 127.0.0.1:54549 *:* 10680
UDP 127.0.0.1:56491 *:* 12316
UDP 127.0.0.1:57739 *:* 20800
UDP 127.0.0.1:58253 *:* 6976
UDP 127.0.0.1:58950 *:* 3116
UDP 127.0.0.1:60327 *:* 2128
UDP 127.0.0.1:64274 *:* 12672
C:\Users\myuser>
-a Displays all connections and listening ports.
-n Displays addresses and port numbers in numerical form.
-o Displays the owning process ID associated with each connection.
Then using PID you can find which causing the issue for the example I used follwing connection
TCP 127.0.0.1:55337 0.0.0.0:0 LISTENING 6976
C:\Users\myuser>tasklist | findstr 6976
com.docker.proxy.exe 6976 Console 1 9,696 K
C:\Users\myuser>

How do i verify that port 5555 is open?

I have a task in a lab for my cyber-security class where I have to verify that the port 5555 is open and not in use via Command Prompt. I have tried the following command with these flags:
command used to check port 5555
You can do a nmap scan on that port to see if its open or close; also you can get more information about the port if its open this way.
nmap -vvv <ip> -p 5555
if you are looking for a fast way you can try to connect to that port and see using netcat or telnet
nc localhost 5555
telnet localhost 5555
if the port is close your connection will drop if its open the connection wont close if the application running on port 5555 has a header you can also see that.
in case you looking for open ports in your own computer you can do ss -lnpt which will show all open ports. then you can grep for port 5555
You can either use netstat or sudo lsof -i tcp:5555.
If you don't get a response on your terminal, it means that there's nothing running on port 5555.

Creating a script to connect to ssh from nmap output

I'm trying to make a script to connect to server via ssh but i'm a bash noob. I do not know the ip and have to use nmap to scan the range. What i want is a script to connect or try to connect to the ip's from nmap output. (with try i mean one of the ips would be my ip, so connecting to this one is useless)
All i got so far is scanning the range with namp -sP 192.168.42.1/24
I have found an nmap filter to only scan for port 22
Here is what I get.
$ nmap --open -p22 192.168.42.*
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-08 08:55 CEST
Nmap scan report for 192.168.42.113
Host is up (0.0057s latency).
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 256 IP addresses (2 hosts up) scanned in 59.63 seconds
You can simply use netcat which is fast.nmap takes too long to scan range.
for i in {1..254..1}
do
if nc -w 1 -zv 192.168.42.$i 22 &>> /dev/null
then
ssh 192.168.42.$i
fi
done

ftp is not resolving hostname from hosts file

I have hostname in /etc/hosts,
10.0.0.124 hostname.domain hostname
I can ping and ssh to hostname. When I enter
ftp 10.0.0.124
or
ftp hostname
I get "No route to host" in response. When I comment out that line, and try
ftp hostname
ftp responds "Name or service not known". So ftp is looking in the hosts file but apparently does not believe it. Why not?? I am on CentOS 6.5 and ftp was installed using yum install ftp. The ftp daemon running on hostname is vsftpd.
And fixed! The problem was that hostname's firewall was configured to drop ftp packets. Obvious! Inserted
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
in /etc/sysconfig/iptables, and restarted iptables service. Done!

Change ssh tunnel direction with the same port?

I'm using an ssh tunnel to forward a port to a db server.
Let's say I'm using mysql, so my ssh command would be something along the lines of
ssh -fqTN -L 12345:127.0.0.1:3306 user#server.com
based on the method of transfer (sync from or sync to) I want to use either the -L or -R flags.
I do need the -L flag at first though, so I open the tunnel above anyway.
My question is though -
If after now run
ssh -fqTN -R 12345:127.0.0.1:3306 user#server.com
Will it replace the above command and make a reverse tunnel on the same port?
The second command will not "replace" the first command, but it will work just fine.
You started with:
ssh -fqTN -L 12345:127.0.0.1:3306 user#server.com
This opens port 12345 on your local system and forwards it to 127.0.0.1:3306 from the perspective of the remote system, so that you can access the mysql server on the remote system using local port 12345.
The second command...
ssh -fqTN -R 12345:127.0.0.1:3306 user#server.com
...opens port 12345 on the remote system and forwards it to 127.0.0.1:3306 from the perspective of your local system, allowing the remote system to access a mysql server on your local host via port 12345.
This doesn't conflict with the original command, so these can both be run at the same time.
Update
Responding to your comment here, because I want to quote some command output:
If I run:
ssh -R 12345:127.0.0.1:3306 remote_system
Then on remote_system I run lsof -i -n, I see:
sshd 23280 lars 10u IPv6 37263762 0t0 TCP [::1]:italk (LISTEN)
sshd 23280 lars 11u IPv4 37263763 0t0 TCP 127.0.0.1:italk (LISTEN)
And from /etc/services, we see that italk is port 12345. If you add -P to your lsof command line it will not try to translate port numbers to service names:
# lsof -i -n -P | grep 12345
sshd 23280 lars 10u IPv6 37263762 0t0 TCP [::1]:12345 (LISTEN)
sshd 23280 lars 11u IPv4 37263763 0t0 TCP 127.0.0.1:12345 (LISTEN)

Resources