Port Forwarding | Infiltr8: The Red-Book

Last updated 1 year ago

Was this helpful?

Theory

Port forwarding involves using any compromised host as a Jump Box to pivot to other hosts to which we do not have direct access from our attacking host. We configure the compromised host to listen on a port and relay all packets received on that port to another destination (and vice versa for a remote forward).

There are fore main types of port forwarding:

Local port forwarding: Open a local port on the compromised server and redirect incoming traffic to an other port on the same host or to a different host in a remote network.
Remote port forwarding: Open a local port on our attacking server and redirect incoming traffic to a port on a remote machine through a compromised intermediary machine (the Jump Box).
Dynamic port forwarding (Forward Proxy): tunnel the whole attacker's network traffic (instead of only one port) through the compromised machine opened SOCKS port.
Remote dynamic port forwarding (Reverse Proxy): tunnel the whole network traffic from a remote machine through the attacker's machine SOCKS port.

In brief, while in local and dynamic port forwarding, the listening port is bound to the client, in remote port forwarding and remote dynamic port forwarding, the listening port is bound to the server. It should be noted that we prefer to use remote techniques, which will open the port on our attacking machine and have a greater chance of evading network defences.

Practice

SSH tunneling

SSH Local Forwarding: Open a local port on the SSH client and redirect incoming traffic from that port to a specific port through the SSH tunnel established with the server.
SHH Remote forwarding: Open a remote port on the SSH server and redirect incoming traffic from that port to a specific port through the SSH tunnel established with the server.
SSH Dynamic port forwarding (Forward Proxy): The SSH client creates a local SOCKS proxy server port to tunnel the whole attacker's network traffic
SSH Reverse dynamic port forwarding (Reverse Proxy): The SSH client creates a remote SOCKS proxy server port on the SSH server to tunnel the whole attacker's network traffic

Microsoft has introduced its native implementation of the OpenSSH server for Windows. So this technique may works with both UNIX and Windows servers/clients.

This example opens a connection to the jump-server.net, and forwards any connection to port 80 on the local machine (attacking machine) to port 80 of intra.example.com.

On the compromised computer (Jump Box), we can connect back to the attacking machine with a reverse port forward using the following command, this example produce the same result as previously seen with Local Forwarding. Any connection on ATTACKING_IP:8000 will be redirected on intra.example.com:80

Since we'll be making a connection back to our attacking machine, we'll create a user with limited console access for tunneling and assign a dedicated password for tunnel management.

Ensure to generate SSH keys for the tunnel user, and subsequently, add the generated public key to both the authorized_keys file and the Jump Box.

its possible to create a Dynamic Port Forwarding (Forward proxy) using SSH.

For example, by using the following command on our attacking host, SOCKS port 9090 will be opened on our attacking machine. Traffic sent via this port will be pushed through the SSH tunnel to the Jump Host, then forwarded wherever they are addressed.

Once configured, you can use proxychains on your attacking host to run applications through the proxy network connections.

A little reminder on how to config ProxyChains. In this example, we just have to add the following line to /etc/proxychains.conf:

In newer versions of the SSH client, it is also possible to create a Remote Dynamic Port Forwarding (Reverse Proxy).

This feature is available since OpenSSH 7.6. Despite this, only the OpenSSH client needs to be at version 7.6 or above to make it works.

By using this command on the compromised host (Jump Box), SOCKS port 9090 will be opened on our attacking machine (the SSH server). Traffic sent via this port will be pushed through the SSH tunnel to the Jump Box, then forwarded wherever they are addressed.

Once configured, you can use proxychains on your attacking host to run applications through the proxy network connections.

A little reminder on how to config ProxyChains. In this example, we just have to add the following line to /etc/proxychains.conf:

SOCAT

Windows version is unlikely to bypass Antivirus software by default, so custom compilation may be required.

Setting up a Local port forward with SOCAT involves opening a listening port on the compromised server and redirecting incoming traffic to a target server.

Using this command on the Jump-Box will open port 33060 on it, and forward any connection from this port to port 3306 on 172.16.0.10.

Setting up a reverse port forwarding with SOCAT involves to redirect any local traffic from a port of our attacking server to a port on a remote machine via the compromised machine (Jump Box).

This example will forward any traffic from localhost:8000, on our attacking machine, to 172.16.0.10:80 trough the compromised Jump Box.

First of all, on our attacking machine, we issue the following command:

Next, on the compromised machine (Jump Box) we execute this command.

This method doesn't require opening up a port on the compromised server.

CHISEL

Setting up a Reverse Proxy involves connecting from the compromised server to a listener on the attacking machine. Then, the Chisel client (Jump Box) opens/creates a remote SOCKS proxy server port on the Chisel Server (Attacking Host).

On the attacking host:

On the compromised host, after uploading chisel, we use the following command:

Once configured, you can use proxychains on your attacking host to run applications through the proxy network connections.

A little reminder on how to config ProxyChains with Chisel. We just have to add the following line to /etc/proxychains.conf:

Setting up a Forward Proxy involves connecting from the attacking host to a listener on the compromised machine (Jump Box). Then, the Chisel client creates a local SOCKS proxy server port.

On the compromised host, we would use the following command:

On the attacking host, using the following command, we will open the local PROXY_PORT port on our attacking host.

Like with the reverse proxy, you can use proxychains to run applications through the proxy network connection.

Forward proxies are less common than reverse proxies for the same reason as why reverse shells are more prevalent than bind shells. In broad terms, outbound traffic managed by egress firewalls tends to be subjected to less strict controls than inbound connections regulated by ingress firewalls.

A Local Port Forward is when we connect from our own attacking machine to a chisel server listening on a compromised target, and open a local listening port for forwarding.

On the compromised target (jump box) we set up a chisel server:

On the attacking host, we would use the following command. It will connect to the compromised host running a chisel server, forwarding our local port 2222 to 172.16.0.10:22 (our intended target).

PLINK

To create a reverse connection, we can execute the following command on our compromised host (Jump Box).

As with SSH Remote Forwarding, any connection on ATTACKING_IP:8000 will be redirected on 172.16.0.10:80.

Since we'll be making a connection back to our attacking machine, we'll create a user with limited console access for tunneling and assign a dedicated password for tunnel management.

Ensure to generate SSH keys for the tunneluser, and subsequently, add the generated public key to both the authorized_keys file and the Jump Box.

To generate a Plink usable private key, we can use following bash commands

Netsh

On windows, Netsh requires administrative privileges to create a port forward.

We can setup a Local Port Forward using the Netsh commands on the compromised host (Jump Box).

The following command will open the local port 2222 on the Jump Box, and forward any connection from it to 192.168.50.44:22.

Then, we ensure that the connections will be allowed on firewall

After we successfully performed our port forwarding, we can clear our tracks like so.

Resources

Last updated 1 year ago

Was this helpful?