Tunnelling & Port Forwarding
Introduction
If you have found hosts on a different network that you do not have access to, you will need to use one of the compromised hosts to pivot to the subnet. For doing so, you can use the several techniques and tools that you will see in this section.
SSH
Local Port Forwarding
Use the following command if you want to access a website (port 80) on a subnet through an intermediary computer via SSH. Then, you will be able to access the website through localhost
(port 8000).
The
-L
flag creates a link to a local port.The
-f
flag is used to set SSH to the background so that we can still use our terminal.The
-N
flag iindicates to SSH that we do not want to execute any commands.
Remote Port Forwarding
This allows anyone on the remote server to connect to TCP port 8080 on the remote server. The connection will then be tunnelled back to the client host, and the client then makes a TCP connection to port 80 on localhost
.
Proxy
This command will open port 1337 on your machine as a proxy to send data to the subnet. This is useful when combined with a tool like proxychains, so you can access different ports and IPs with the same connection.
Internet access to an offline machine
You might encounter a situation where you require Internet access for downloading tools, installing packages, etc. but the machine doesn't have Internet and you only can connect through SSH with a machine with Internet access. For those cases, you can do the following:
1. Install a proxy on the machine with Internet access.
Modify the squid configuration by commenting all http_access deny *
and add http_access allow all
. Then, restart the squid server:
2. Execute the following lines in the offline machine, thus the traffic will go through the future port forwarding.
Note: To make it permanently through all the terminals add the before-mentioned lines into the /etc/environment
file.
Furthermore, if you want to use apt to install packages add the following lines into the /etc/apt/apt.conf.d/50apt-file.conf
file.
3. Finally, do the port forwarding.
Sshuttle
Shuttle allows us to route networks through SSH tunnels as if it were a VPN.
Download Link: Link
Installation command:
sudo apt install sshutle
The command to use shuttle is:
The -N
flag is used for sshuttle to try to guess the server's subnet.
Unfortunately, sshuttle has no shortcut to use a private key to authenticate to the SSH server. However, you can use the --ssh-cmd
flag to work around this problem.
Nota:
You may get the following error when connecting with sshuttle: client: fatal: server died with error code 255
.
This can happen when the compromised machine you connect to is part of the subnet you are trying to access. For example, if we were connecting to 172.16.0.5 and tried to forward 172.16.0.0/24, we would be including the compromised server within the newly forwarded subnet, thus breaking the connection and causing the tool to die.
To avoid this, we tell sshuttle to exclude the compromised server from the subnet range using the -x
option. To use our example above:
Ligolo-ng
Ligolo-ng is an advanced, yet simple tunneling tool that uses TUN interfaces, allowing you to access the whole network without much of a hassle. However, it is not suitable for creating listening ports on the victims machine which connection is redirected to another machine rather than the server.
Create the tun interface.
Launch the server.
On the victim side execute the client, pointing to the server.
Go to the server's terminal and select the new session.
Once selected the session start the tunnel.
Add on the attacking machine the route you want to access
Remote Port Forwarding
This allows anyone on the remote server to connect to TCP port 8080 on the remote server. The connection will then be tunnelled back to the client host, and the client then makes a TCP connection to port 80 on localhost
.
ℹ️ This can be useful to pivot between networks. So, victim 1 creates a Remote Port Fortwarding to ligolo proxy and then, victim 2 connects to victim 1 which is forwarded to ligolo
Select a session.
Configure the listener
Socat
Socat is a relay for bidirectional data transfer between two independent data channels.
Download links:
Reverse Shell Relay
tcp-l: 8000
is used to create the first half of the connection: an IPv4 tcp listening port on 8000 on the victim_ONE
. The second have of the connection is when you connect to the victim_ONE
machine from the victim_TWO
machine.
Port Forwarding (Stealthy)
First, on our pivoting machine, we run the following command:
This command opens two ports: 8000 and 8001, creating a local port relay. What goes into one of them will come out of the other. For this reason, port 8000 also has the fork
and reuseaddr
options to allow us to create more than one connection using this port going forward.
The following command establishes a connection between our listening port 8001 on the pivoting machine and the open port on the target server (80).
This would create a link between port 8000 on our attacking machine and port 80 on the target machine, which means we could go to localhost:8000
in the web browser of our attacking machine to load the web page served by the target.
Port Forwarding (Reverse)
In order to access the website on port 80 on the victim's machine through localhost:8080
, we need to execute the following commands.
Attacking machine:
Pivoting machine:
Chisel
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable, including both client and server. Written in Go.
Furthermore, Chisel is mainly useful for passing through firewalls.
Download link: Link
Reverse SOCKS Proxy
On our attacking machine, we set a port to listen (--reverse
sets the port to listen.).
On the compromised host, we would use the following command, which connects to the listening port of our attacking machine, completing the proxy.
The flag R:socks
tells the chisel server that the proxy or port forwarding will be done on the client-side.
Forwards SOCKS Proxy
The connection is made from the attacking machine to the compromised machine.
On the compromised machine we run:
On the attacking machine we run::
Remote Port Forwarding
Remote Port Forward is when we connect from the compromised target machine to create port forwarding.
On the attacking machine, we use the following command:
The command to connect to the attacking machine is as follows..
Note the difference between LISTEN_PORT
and LOCAL_PORT
. LISTEN_PORT is the port on which we start the chisel server, and LOCAL_PORT is the port we want to open on our attacker machine to bind to the desired destination port.
Local Port Forwarding
We connect from our attacking machine to the chisel server on the compromised machine.
On the compromised machine, we create the chisel server.
And now we connect from the attacking machine
For example, if you want to connect to the application on 192.168.2.4:80
through the machine 192.168.1.2
, so you can access the web page accessing localhost:8080
on your machine. Execute the following commands:
Metasploit
Once we have a meterpreter session, we can use the module post/multi/manage/autoroute
to pivot to a different network through the compromised machine.
Then, with the module auxiliary/server/socks_proxy
, we can use proxychains in order to route all our traffic.
You can use socks5 or socks 4.
If you want to use socks4, you need to configure proxychains.
References
Internet access through SSH
Last updated