Purpose: Automated SSH pivoting with transparent traffic routing
Tool: sshuttle - Python-based SSH tunnel manager
Key Feature: Automatic iptables configuration (no proxychains needed)
Protocol: SSH-only (no TOR/HTTPS proxy support)
Advantage: Direct tool usage without proxy configuration
- Language: Python-based networking tool
- Function: Automated SSH pivot with transparent routing
- Mechanism: Creates iptables rules for traffic redirection
- Scope: SSH tunneling only (no other protocols)
- Philosophy: "VPN over SSH" approach
| Aspect | sshuttle | SSH + proxychains |
|---|---|---|
| Setup | Single command | SSH tunnel + proxychains config |
| iptables | Automatic | Manual/none |
| Application Support | All TCP traffic | SOCKS-aware only |
| Transparency | Completely transparent | Requires proxy awareness |
| Performance | High (kernel-level) | Lower (userspace proxy) |
| Protocol Support | SSH only | SSH/SOCKS/HTTP/TOR |
- No proxychains configuration required
- Automatic iptables management for routing
- Transparent operation - tools work normally
- Kernel-level routing - better performance
- Simple command syntax - easy to use
- SSH-only protocol support
- No TOR/HTTPS proxy integration
- Requires root privileges for iptables
- TCP traffic only (no UDP support with default method)
- Python dependency required
# Install from package manager
sudo apt-get install sshuttle
# Expected output:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Suggested packages:
autossh
The following NEW packages will be installed:
sshuttle
0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
Need to get 91.8 kB of archives.
After this operation, 508 kB of additional disk space will be used.# Install via pip (latest version)
sudo pip3 install sshuttle
# Install from source
git clone https://github.com/sshuttle/sshuttle.git
cd sshuttle
sudo python3 setup.py install
# Arch Linux
sudo pacman -S sshuttle
# macOS with Homebrew
brew install sshuttle# Check installation
sshuttle --version
# sshuttle 1.1.0
# Check help
sshuttle --help[Attack Host] → [Ubuntu Pivot] → [Internal Network]
10.10.14.18 10.129.202.64 172.16.5.0/23
sshuttle SSH Server Target Network
iptables rules
# Basic sshuttle pivoting
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v
# Command breakdown:
# -r - Remote SSH server
# ubuntu@10.129.202.64 - Username and pivot host
# 172.16.5.0/23 - Network to route through pivot
# -v - Verbose outputStarting sshuttle proxy (version 1.1.0).
c : Starting firewall manager with command: ['/usr/bin/python3', '/usr/local/lib/python3.9/dist-packages/sshuttle/__main__.py', '-v', '--method', 'auto', '--firewall']
fw: Starting firewall with Python version 3.9.2
fw: ready method name nat.
c : IPv6 enabled: Using default IPv6 listen address ::1
c : Method: nat
c : IPv4: on
c : IPv6: on
c : UDP : off (not available with nat method)
c : DNS : off (available)
c : User: off (available)
c : Subnets to forward through remote host (type, IP, cidr mask width, startPort, endPort):
c : (<AddressFamily.AF_INET: 2>, '172.16.5.0', 32, 0, 0)
c : Subnets to exclude from forwarding:
c : (<AddressFamily.AF_INET: 2>, '127.0.0.1', 32, 0, 0)
c : (<AddressFamily.AF_INET6: 10>, '::1', 128, 0, 0)
c : TCP redirector listening on ('::1', 12300, 0, 0).
c : TCP redirector listening on ('127.0.0.1', 12300).
c : Starting client with Python version 3.9.2
c : Connecting to server...
ubuntu@10.129.202.64's password: HTB_@cademy_stdnt!
s: Running server on remote host with /usr/bin/python3 (version 3.8.10)
s: latency control setting = True
s: auto-nets:False
c : Connected to server.# sshuttle automatically creates these rules:
fw: setting up.
fw: ip6tables -w -t nat -N sshuttle-12300
fw: ip6tables -w -t nat -F sshuttle-12300
fw: ip6tables -w -t nat -I OUTPUT 1 -j sshuttle-12300
fw: ip6tables -w -t nat -I PREROUTING 1 -j sshuttle-12300
fw: ip6tables -w -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL
fw: ip6tables -w -t nat -A sshuttle-12300 -j RETURN --dest ::1/128 -p tcp
fw: iptables -w -t nat -N sshuttle-12300
fw: iptables -w -t nat -F sshuttle-12300
fw: iptables -w -t nat -I OUTPUT 1 -j sshuttle-12300
fw: iptables -w -t nat -I PREROUTING 1 -j sshuttle-12300
fw: iptables -w -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL
fw: iptables -w -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.1/32 -p tcp
fw: iptables -w -t nat -A sshuttle-12300 -j REDIRECT --dest 172.16.5.0/32 -p tcp --to-ports 12300# Direct nmap scan through sshuttle tunnel
nmap -v -sV -p3389 172.16.5.19 -A -Pn
# Expected results:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-08 11:16 EST
NSE: Loaded 155 scripts for scanning.
Nmap scan report for 172.16.5.19
Host is up.
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: INLANEFREIGHT
| NetBIOS_Domain_Name: INLANEFREIGHT
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: inlanefreight.local
| DNS_Computer_Name: DC01.inlanefreight.local
| Product_Version: 10.0.17763
|_ System_Time: 2022-08-14T02:58:25+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows# ALL tools work transparently:
# Web requests
curl http://172.16.5.19
# Database connections
mysql -h 172.16.5.19 -u admin -p
# FTP access
ftp 172.16.5.19
# SSH connections
ssh administrator@172.16.5.19
# RDP connections
xfreerdp /v:172.16.5.19 /u:victor /p:pass@123# Interactive password prompt
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23
# Password from file (less secure)
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 --ssh-cmd 'ssh -o PasswordAuthentication=yes'# Using SSH key
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 --ssh-cmd 'ssh -i /path/to/key'
# Using ssh-agent
eval $(ssh-agent)
ssh-add ~/.ssh/pivot_key
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23# Route multiple networks
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 192.168.1.0/24 10.0.0.0/8
# Auto-detect networks (dangerous!)
sudo sshuttle -r ubuntu@10.129.202.64 0/0
# Exclude specific networks
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -x 172.16.5.1/32# Route DNS queries through tunnel
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 --dns
# Custom DNS server
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 --dns --ns 172.16.5.1# Custom method (for special cases)
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 --method=nat
# Custom SSH port
sudo sshuttle -r ubuntu@10.129.202.64:2222 172.16.5.0/23
# Daemon mode
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -D
# Custom pidfile
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 --pidfile=/var/run/sshuttle.pidTask: "Try using sshuttle from Pwnbox to connect via RDP to the Windows target (172.16.5.19) with 'victor:pass@123'"
# Check if sshuttle is available
which sshuttle
# Install if missing
sudo apt-get update
sudo apt-get install sshuttle# Connect through Ubuntu pivot to internal network
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v
# Enter password when prompted:
ubuntu@10.129.202.64's password: HTB_@cademy_stdnt!
# Wait for connection confirmation:
c : Connected to server.
fw: setting up.
# ... iptables rules created automatically# Test connectivity to target
ping -c 3 172.16.5.19
# Scan RDP port
nmap -p 3389 172.16.5.19
# Expected: Port 3389 open# Connect via RDP (multiple methods)
# Method 1: xfreerdp
xfreerdp /v:172.16.5.19 /u:victor /p:pass@123 /cert:ignore
# Method 2: rdesktop
rdesktop -u victor -p pass@123 172.16.5.19
# Method 3: krdc (KDE)
krdc rdp://victor:pass@123@172.16.5.19# Verify successful RDP connection to Windows target
# Should see Windows desktop as user "victor"
# When done, stop sshuttle (Ctrl+C in terminal)
^C
c : Keyboard interrupt: exiting.
fw: undoing changes.
# iptables rules automatically cleaned upAnswer: "I tried sshuttle"
| Method | Setup Complexity | Tool Transparency | Performance | Protocol Support |
|---|---|---|---|---|
| sshuttle | Low (single command) | High (fully transparent) | High (kernel-level) | SSH only |
| SSH + proxychains | Medium (config files) | Medium (SOCKS-aware) | Medium (userspace) | Multiple protocols |
| Meterpreter | High (payload + handler) | Low (manual forwarding) | Medium | Multiple protocols |
| Socat | Medium (multiple commands) | Low (manual setup) | High | Any TCP/UDP |
| Plink + Proxifier | High (Windows GUI config) | High (app-specific) | Medium | Windows-centric |
✅ SSH access available to pivot host
✅ Transparent tool usage required
✅ Multiple tools need network access
✅ Performance is critical (kernel routing)
✅ Simple setup preferred over complex configurations
❌ No SSH access (use Meterpreter/Socat)
❌ UDP traffic required (use SSH local forwards)
❌ TOR/HTTP proxy needed (use proxychains)
❌ Windows-only environment (use Plink)
❌ Stealth operation (iptables changes detectable)
# Problem: iptables modification failed
ERROR: Failed to modify iptables rules
# Solutions:
1. Run with sudo
sudo sshuttle -r user@host network
2. Check iptables permissions
sudo iptables -L
3. Verify user has sudo rights
sudo -l# Problem: Cannot connect to SSH server
Permission denied (publickey,password)
# Solutions:
1. Test SSH connection first
ssh ubuntu@10.129.202.64
2. Use key authentication
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 --ssh-cmd 'ssh -i key'
3. Check SSH service status
sudo systemctl status ssh# Problem: Cannot reach target network
Network unreachable
# Solutions:
1. Verify network range
ip route show | grep 172.16.5
2. Test SSH server routing
ssh ubuntu@10.129.202.64 'ip route'
3. Check target network existence
ssh ubuntu@10.129.202.64 'ping 172.16.5.19'# Problem: iptables rules not cleaned up
Rules persist after sshuttle exit
# Solutions:
1. Manual cleanup
sudo iptables -t nat -F sshuttle-12300
sudo iptables -t nat -X sshuttle-12300
2. Force kill and cleanup
sudo pkill sshuttle
sudo iptables -t nat -L | grep sshuttle
3. Restart networking
sudo systemctl restart networking# Chain multiple sshuttle connections
# Terminal 1: First pivot
sudo sshuttle -r user1@pivot1 10.0.0.0/8
# Terminal 2: Second pivot (through first)
sudo sshuttle -r user2@10.0.1.5 192.168.0.0/16 --ssh-cmd 'ssh -o ProxyCommand="ssh -W %h:%p user1@pivot1"'# Create systemd service
sudo cat > /etc/systemd/system/sshuttle-pivot.service << EOF
[Unit]
Description=sshuttle pivot tunnel
After=network.target
[Service]
Type=simple
User=root
ExecStart=/usr/bin/sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
# Enable and start service
sudo systemctl enable sshuttle-pivot
sudo systemctl start sshuttle-pivot# Combine with local port forwards
ssh -L 8080:172.16.5.19:80 ubuntu@10.129.202.64 &
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23
# Access both ways:
curl http://localhost:8080 # SSH local forward
curl http://172.16.5.19 # sshuttle routing# Enable compression for slow links
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 --ssh-cmd 'ssh -C'
# Adjust buffer sizes
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 --python /usr/bin/python3
# Use specific SSH cipher
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 --ssh-cmd 'ssh -c aes128-ctr'# Monitor sshuttle traffic
sudo tcpdump -i any host 10.129.202.64
# Check iptables packet counts
sudo iptables -t nat -L sshuttle-12300 -v
# Monitor bandwidth usage
iftop -i eth0 -f "host 10.129.202.64"# Check sshuttle processes
ps aux | grep sshuttle
# Monitor memory usage
top -p $(pgrep sshuttle)
# Check network connections
ss -tuln | grep :12300- iptables Modifications - detectable by system administrators
- Process Visibility - sshuttle processes visible in ps output
- Network Traffic - SSH connections to pivot hosts logged
- DNS Queries - may leak information if --dns used
- Root Privileges - requires elevated access
# Use non-standard SSH ports
sudo sshuttle -r ubuntu@10.129.202.64:2222 172.16.5.0/23
# Vary connection timing
sleep $((RANDOM % 300)); sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23
# Clean process names (limited effectiveness)
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 --python /usr/bin/python3# Proper shutdown
# Use Ctrl+C to stop sshuttle (auto-cleanup)
# Emergency cleanup
sudo pkill -f sshuttle
sudo iptables -t nat -F
sudo iptables -t nat -X
# Clear SSH known_hosts entries
ssh-keygen -R 10.129.202.64# Use Metasploit normally with sshuttle active
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 172.16.5.0/24
msf6 auxiliary(scanner/portscan/tcp) > run
# No proxy configuration needed!# Full network scans through sshuttle
nmap -sS -A 172.16.5.0/24
# Service enumeration
nmap -sV -p- 172.16.5.19
# Vulnerability scanning
nmap --script vuln 172.16.5.19# Any TCP application works transparently
telnet 172.16.5.19 23
nc 172.16.5.19 445
python3 -c "import socket; s=socket.socket(); s.connect(('172.16.5.19', 80))"- HTB Academy: Pivoting, Tunneling & Port Forwarding - Page 9
- sshuttle GitHub: Official Repository
- sshuttle Documentation: ReadTheDocs
- Man Page:
man sshuttle - Python SSH Tunneling: SSH Tunnel Techniques