👨‍💻
Hacking Notes
  • Hacking Notes
  • 💅One-Liners
  • ⚔️Offensive
    • Exploit Workflow
    • Recon
      • OSINT
      • DNS
        • Domain Discovery
      • Layer 2 Config and Analysis
      • Port Scanning and Discovery
      • Port Attacks
      • Link it all together
    • Payloads
      • MSFVenom
      • Reverse Shells
    • Websites
      • Enumeration
      • Injection/LFI
      • Session Management
      • Brute Forcing
      • JavaScript & XSS
      • SSRF
      • XXE
      • PHP
    • Password Attacks
      • Brute Forcing
      • Mimikatz
      • Password Cracking
      • Hash Extraction
      • Wordlist Generation
    • Databases
      • SQL
      • Mongodb
    • Microsoft Windows Exploits
      • Enumeration
      • Powershell
      • Cmd
      • Privilege Escalation
      • Active Directory
      • Bloodhound
    • Social Engineering
    • Netcat & Socat
    • File Transfers
    • Metasploit
      • Writing Modules
    • PS Empire
    • Priv Escalation
    • Post Exploitation
    • Pivoting
    • Certs and Secrets
    • NGROK
    • Misc.
  • 🛡️Defensive
    • Defensive Notes
    • Windows Forensics
      • Program Execution Artifacts
      • ASEP Locations
      • Event Logs
    • Linux Forensics
    • Network Forensics
      • tshark
      • Wireshark Filters
    • Memory Forensics
    • Stego
    • Malware Analysis
    • Volatility
  • 🌩️Cloud
    • Scope and Shared Responsibility
    • AWS CLI
    • Azure CLI
    • SaaS Attacks
    • PaaS
  • ⌨️Programming
    • Programming Notes
    • Examples and Quick Scripts
    • PowerShell
    • Pwn
      • Windows Pwn
    • Python
      • Basic Python
      • Modules
      • Working with Files
      • Networking
      • Attack Related
      • Scapy
        • Using Scapy
        • Reading PCAP
    • C
      • Code Examples
      • GDB
    • PHP
Powered by GitBook
On this page
  • SSH Local Port Forwarding
  • SSH Dynamic Port Forwarding
  • SSH Remote Port Forwarding
  • Meterpreter/MSF Forwarding
  • Socat
  • IPtables
  • Windows Portproxy
  • Ngrok

Was this helpful?

  1. Offensive

Pivoting

SSH Local Port Forwarding

Forwarding one port on the client system to exactly one port accessible from the SSH pivot server. It's still confusing no matter how many times I read it.

# Below sets up local port 8123 forwarded thru victim to reach port 80 on target.local
ssh -L 8123:target.local:80 pwner@victim
    curl localhost:8123
    attacker:8123 -> 10.0.0.1:22 -> 10.0.0.5:80

# Below creates a tunnel with the established private key. Creates tunnel on https://localhost:4443
sudo ssh -i ~/.ssh/id_rsa -X -Y -C -g -L 4443:1.1.1.1:443 kali@2.2.2.2
 
# Below forwards a port on the victim localhost to be accessible (i.e. MySQL for localhost only)
ssh -L 3306:localhost:3306 pwnt@victim
    mysql -u root -p

SSH Dynamic Port Forwarding

SOCKS Proxy used to forward several ports. Can use proxychains to help non-proxy aware programs to reach the intended destination. Do not try to port scan through a SOCKS proxy, it is VERY SLOW!!

ssh -D 9123 pwnt@victim

SSH Remote Port Forwarding

A port on the pivot system is forwarded to a local port, not commonly used.

ssh -R :8123:localhost:80
ssh -R :8000:www.google.com:80

Meterpreter/MSF Forwarding

Can use built in mechanisms in meterpreter/msf to port forward or route easily

# Cmd below will create a local port on 0.0.0.0:4321 to reach target:80
meterpreter > portfwd add -l 4321 -r target -p 80

Socat

We can use socat to forward to new machines easily

# Below command listens locally on 8080, forwards connections to 10.0.0.1:80
socat -v tcp4-listen:8080,reuseaddr,fork TCP4:10.0.0.1:80

IPtables

Iptables can be used to forward connections if we have root level access

# Must enable IP forwarding
sudo sysctl net.ipv4.ip_forward=1

# or do the following...
sudo echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

# Now we can redirect...
iptables -t nat -A PREROUTING -p tcp -dport 1234 -j DNAT --to-destination 10.0.0.1:80

Windows Portproxy

This is a lesser-known function of netsh where we can redirect ports on a windows box

# Listen on 8123 and forward connections to 10.0.0.1:80
netsh interface portproxy add v4tov4 listenport=8123 connectport=80 connectaddress=10.0.0.1

# To view existing portproxy commands:
netsh interface portproxy show all

Ngrok

We can use ngrok to forward our own local connections to exploited machines

PreviousPost ExploitationNextCerts and Secrets

Last updated 2 years ago

Was this helpful?

⚔️