SCENARIO 2.3 – ENCRYPTION
EXPERIMENT 8 – SSH TUNNELS
Encrypted data makes it very difficult for IDSs to examine the payload for any attacks because it can’t actually see it, which is one of the limitations that exist in IDSs. For this part of the experiment the author used SSH tunnels to encrypt the traffic between the attacker and the target. Figure 6.45 shows the attacker creating a dynamic SSH port listening on the localhost on port 8888 and an SSH forwarder listening on localhost port 8881 forwarding the traffic to destination target 192.168.59.130 on destination port 3632 (DISTCC).

Figure 6.45: SSH tunnel being created on the localhost
What this means is that any traffic would be directed by the attacker to port 8888 on the localhost, which will be encrypted by the SOCKS 5 SSH tunnel and passed out of local port 8881 and then forwarded to the destination target 192.168.59.130 to destination port 3632, which is the DISTCC vulnerable service.

Figure 6.46: Exploit sent to target via encrypted tunnel
Figure 6.46 above shows the exploit being executed and a shell opened and as illustrated by figure 6.47 no alerts raised, which means that the technique successfully evaded detection.




Figure 6.47: Snort Statistics
As can be seen here out of all the packets that have been received and analysed zero alerts have been generated.
In the upcoming posts, we will discuss all the findings, Future work and conclude this series with a closing discussion.