How to scan and surf an internal network

7th Jul 2017

Let's say you have terminal access to a server and you want to perform a scan of the internal network. Moreover, you want to actually surf any intranet site with your browser.
Usually you would create a dynamic port forward using SSH, but what if it was disabled? Despair not, proxy and port forwarding are here to rescue you!

These aren't the ports you're looking for

Few weeks ago an hosting company asked me to take a look at their configuration and their internal network. After reviewing the "starting" server, I wanted to do a network scan.

So I did as usual: in my local machine I asked SSH to create a dynamic port forward with ssh -D 1080 user@remote and then started nmap with proxychains.

After few seconds of no results, I observerd the following error in the console:

channel 1: open failed: administratively prohibited: open failed

Some researches revealed that the source of the error relies inside SSH agent configuration: that's actually a smart move, kudos to the sysadmin.
However nothing is lost: if I can't connect my nmap installation, let's bring the executable to the server! What we need is nmap statically compiled (think about it as a "portable" installation): everything is inside the executable, so no external dependencies are required.

After some googling I found a couple of repositories serving nmap statically compiled (here and here). It's not the last version, but it's better than nothing.

So we have a workaround for this issue, but the original problem is still there. What if we want to surf any intranet site? We could use wget to grasp its contents, but that's not very practical.

Fasten your seatbelts for a port forwarding ride

Generally speaking, we have to find a way to load the site from the inside and "serve it" to the outisude. This is the perfect job for an HTTP proxy, however there are several constrains that should be fulfilled:

  1. It's not possible to open any new port on the server
  2. Dynamic port forwarding is not possible (see above)
  3. HTTPS support is required

With an HTTP proxy, you usually start it and tell him to listen on a specific port. Then you have to configure your browser to use that port and the remote IP as proxy.

Sadly, as stated on the first point, I wasn't able to open any new port on the server.
What I can do, however, is to connect a local port from the remote server to my local machine; then bind that local port to the HTTP proxy. Finally configure my browser to my own local port and start surfing.

Let's review the required steps:

  1. Local machine Your SSH agent should be reachable from the Internet. This means that you'll have to setup some port forwarding in your router: when someone asks to connect to port 22, your router will have to forward such request to your PC, instead of handling it.

  2. Remote server With an active terminal session, create a remote port forwarding:
    ssh -R *:8080:localhost:3000 your_pc_username@your_pc_IP

    In this way you have connected the port 8080 of your PC to the 3000 one of the server. Please note that since this is an outgoing request from the server, the firewall lets you do that; usually it only blocks incoming requests.

  3. Remote server Start an HTTP proxy listening on port 3000. In this case I used a Python based proxy since Python was available on the server.

    python 3000
  4. Local machine Finally open your browser settings and setup as your HTTP proxy. In this way you can use any internal IP to surf the intranet using private IPs (ie

When you'll open an URL, the request will be redirected on your local port 8080, entering the SSH tunnel. It will exit on the remote server on port 3000, ready to be caught by the HTTP proxy that will handle it and send it to the correct internal IP.

What a ride, uh?


Blog Comments powered by Disqus.