Forwarding one port on the client system to exactly one port accessible from the SSH pivot server. It's still confusing no matter how many times I read it.
# Below sets up local port 8123 forwarded thru victim to reach port 80 on target.local
ssh -L 8123:target.local:80 pwner@victim
curl localhost:8123
attacker:8123 -> 10.0.0.1:22 -> 10.0.0.5:80
# Below creates a tunnel with the established private key. Creates tunnel on https://localhost:4443
sudo ssh -i ~/.ssh/id_rsa -X -Y -C -g -L 4443:1.1.1.1:443 kali@2.2.2.2
# Below forwards a port on the victim localhost to be accessible (i.e. MySQL for localhost only)
ssh -L 3306:localhost:3306 pwnt@victim
mysql -u root -p
SSH Dynamic Port Forwarding
SOCKS Proxy used to forward several ports. Can use proxychains to help non-proxy aware programs to reach the intended destination. Do not try to port scan through a SOCKS proxy, it is VERY SLOW!!
ssh -D 9123 pwnt@victim
SSH Remote Port Forwarding
A port on the pivot system is forwarded to a local port, not commonly used.
Can use built in mechanisms in meterpreter/msf to port forward or route easily
# Cmd below will create a local port on 0.0.0.0:4321 to reach target:80
meterpreter > portfwd add -l 4321 -r target -p 80
Socat
We can use socat to forward to new machines easily
# Below command listens locally on 8080, forwards connections to 10.0.0.1:80
socat -v tcp4-listen:8080,reuseaddr,fork TCP4:10.0.0.1:80
IPtables
Iptables can be used to forward connections if we have root level access
# Must enable IP forwarding
sudo sysctl net.ipv4.ip_forward=1
# or do the following...
sudo echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
# Now we can redirect...
iptables -t nat -A PREROUTING -p tcp -dport 1234 -j DNAT --to-destination 10.0.0.1:80
Windows Portproxy
This is a lesser-known function of netsh where we can redirect ports on a windows box
# Listen on 8123 and forward connections to 10.0.0.1:80
netsh interface portproxy add v4tov4 listenport=8123 connectport=80 connectaddress=10.0.0.1
# To view existing portproxy commands:
netsh interface portproxy show all
Ngrok
We can use ngrok to forward our own local connections to exploited machines