Port Forwarding

Port Forwarding Using SSH

$ ssh -L 1234:localhost:3306 Ubuntu@10.129.202.64

-L tells the ssh client to forward all requests sent to port 1234 to the localhost:3306 of the Ubuntu Server

Note: to confirm port forwarding, we can see that port 1234 is open on our machine

$ netstat -antp | grep 1234

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 127.0.0.1:1234          0.0.0.0:*               LISTEN      4034/ssh            
tcp6       0      0 ::1:1234                :::*                    LISTEN      4034/ssh

Forwading Multiple Ports

$ ssh -L 1234:localhost:3306 8080:localhost:80 ubuntu@10.129.202.64

Dynamic Port Forwading (SOCKS)

$ ssh -D 9050 ubuntu@10.129.202.64

-D tells ssh to do dynamic port forwarding on port 9050

Note: port 9050 must be on our proxychains.conf

$ tail -4 /etc/proxychains.conf

# meanwile
# defaults set to "tor"
socks4 	127.0.0.1 9050

Using NMAP with Proxy Chains

$ proxychains nmap -v -sn 172.16.5.1-200

Note: Full TCP Connect scan can only be used because proxychains can't understand partial packets

Note: host-alive checks might also not work since Windows defender firewall blocks ICMP (ping) requests

$ proxychains nmap -v -Pn -sT 172.16.5.19

Using msfconsole with Proxy Chains

$ proxychains msfconsole

Using xfreerdp with Proxy Chains

$ proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

Port Forwarding Using Meterpreter

Assuming we already have a meterpreter session on our pivot host

Ping Sweep

meterpreter > run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23

[*] Performing ping sweep for IP range 172.16.5.0/23

Configuring MSF SOCKS Proxy

msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > options

Module options (auxiliary/server/socks_proxy):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The address to listen on
   SRVPORT  9050             yes       The port to listen on
   VERSION  4a               yes       The SOCKS version to use (Accepted: 4a,
                                        5)


Auxiliary action:

   Name   Description
   ----   -----------
   Proxy  Run a SOCKS proxy server
   
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.

[*] Starting the SOCKS proxy server

Check if Proxy Server is running

msf6 auxiliary(server/socks_proxy) > jobs

Jobs
====

  Id  Name                           Payload  Payload opts
  --  ----                           -------  ------------
  0   Auxiliary: server/socks_proxy

proxychains.conf

socks4 	127.0.0.1 9050

Creating Routes with auto route

msf6 > use post/multi/manage/autoroute

msf6 post(multi/manage/autoroute) > set SESSION 1
SESSION => 1
msf6 post(multi/manage/autoroute) > set SUBNET 172.16.5.0
SUBNET => 172.16.5.0
msf6 post(multi/manage/autoroute) > run

[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: linux
[*] Running module against 10.129.202.64
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.129.0.0/255.255.0.0 from host's routing table.
[+] Route added to subnet 172.16.5.0/255.255.254.0 from host's routing table.
[*] Post module execution completed

meterpreter > run autoroute -s 172.16.5.0/23

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 172.16.5.0/255.255.254.0...
[+] Added route to 172.16.5.0/255.255.254.0 via 10.129.202.64
[*] Use the -p option to list all active routes

Listing active routes

meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.129.0.0         255.255.0.0        Session 1
   172.16.4.0         255.255.254.0      Session 1
   172.16.5.0         255.255.254.0      Session 1

Testing Proxy and Routing Functionality

$ proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn

Using Meterpreter's portfwd module

meterpreter > help portfwd

Usage: portfwd [-h] [add | delete | list | flush] [args]


OPTIONS:

    -h        Help banner.
    -i <opt>  Index of the port forward entry to interact with (see the "list" command).
    -l <opt>  Forward: local port to listen on. Reverse: local port to connect to.
    -L <opt>  Forward: local host to listen on (optional). Reverse: local host to connect to.
    -p <opt>  Forward: remote port to connect to. Reverse: remote port to listen on.
    -r <opt>  Forward: remote host to connect to.
    -R        Indicates a reverse port forward.

meterpreter > portfwd add -l 3300 -p 3389 -r 172.16.5.19

[*] Local TCP relay created: :3300 <-> 172.16.5.19:3389

The above command requests the Meterpreter session to start a listener on our attack host's local port (-l) 3300 and forward all the packets to the remote (-r) Windows server 172.16.5.19 on 3389 port (-p) via our Meterpreter session. Now, if we execute xfreerdp on our localhost:3300, we will be able to create a remote desktop session.

PreviousPivoting, Tunneling, and Port Forwarding NextReverse Port Forwarding

Last updated 2 years ago

hashtagPort Forwarding Using SSH

hashtagForwading Multiple Ports

hashtagDynamic Port Forwading (SOCKS)

hashtagUsing NMAP with Proxy Chains

hashtagUsing msfconsole with Proxy Chains

hashtagUsing xfreerdp with Proxy Chains

hashtagPort Forwarding Using Meterpreter

hashtagPing Sweep

hashtagConfiguring MSF SOCKS Proxy

hashtagCheck if Proxy Server is running

hashtagproxychains.conf

hashtagCreating Routes with auto route

hashtagListing active routes

hashtagTesting Proxy and Routing Functionality

hashtagUsing Meterpreter's portfwd module