Particle42
  • 🔬Network Enumeration
    • NMAP
    • TCPdump
  • 🔭Website Enumeration
    • Passive Information Gathering
    • Subdomain Enumeration
  • 🖥️Web Application
    • URL & App Scan
    • Subdomain/Vhost Fuzz
    • Login Hack
    • Cross Site Scripting
    • Directory Traversal
    • Local File Inclusion
    • Remote File Inclusion
    • PHP Wrappers
    • SQL Injection
      • Bypass Authentication
      • Database Enumeration
      • Code Execution Via Injection
      • SQL Injection Tools
      • Other Resources
    • NOSQL Injection
      • Bypass Authentication
    • WordPress Scanner
    • Hints & Easter Eggs
  • 🎣Phishing
    • Client Info Gathering
    • HTA
    • Word Macros
    • Windows Library Files
  • 🪟Windows
    • Enumeration & PE Quick Ref
    • Enumeration
      • Users
      • Powershell History
      • System Details
      • Applications & Services
      • Files & Filesystems
      • Cached Creds
    • Windows PE
      • Windows PE Checklist
      • Service Binary Hijacking
      • Important Files
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Other PE Methods
      • Finding PE Vulns
      • SeImpersonatePrivilege
      • Bypassuac using Bypassuac.exe
      • Bypassuac using eventviewer.exe
      • Rasta Watson
    • Windows Remote Access
  • 📂Active Directory
    • About
    • Important Definitions
    • Exploitation Methodology
    • AD Kerberos
      • Invoke-Kerberoast - Shortcut
    • Domain Recon
      • Auto Recon
    • AD Authentication Attacks
      • Password Guessing
      • Creating & Cracking TGS
      • Kerberoasting
    • Lateral Movement
      • Pass the Hash
      • Overpass the Hash
      • Pass the Ticket
      • Distributed Component Object Model
      • Golden Ticket
      • Shadow Copy
      • Domain Controller Sync
      • Windows Management Instrumentation
      • PowerShell Remoting
    • All Commands, Tools & Scripts
      • Using Crackmapexec
      • Using Powerview
      • Important Scripts & Links
  • 🍺Buffer Over Flow
    • Finding EIP Position
    • Eliminating Bad Characters
    • Finding Return Address
    • Payload for BOF
  • 🐧Linux
    • Enumeration
      • Users
      • Encrypted Files
      • System Info
      • Files & Filesystems
      • Applications & Services
    • Attack Vectors
      • Authorised Keys
    • Linux PE
      • Enumeration Commands
      • Finding PE Vulns
      • Check Sudo List
      • Add User to Passwd File
      • SUIDs
      • Tasks with Wildcard
      • Dirty Cow
      • DirtyPipe
      • Insecure File Permissions
      • Enumerating Processes
    • Quick Commands
  • Services
    • SMB
      • Find Server Version
      • Directory Traversal using Symlink
      • Enable Passwordless SMB Access
    • MSSQL
    • MYSQL
    • PHPLiteAdmin
    • SSH
      • Limited Keys Issue
    • SMTP
      • Sending Email
    • Webdav
    • DNS
      • DNS Recon
  • ↗️Pivoting
    • Bringing Internet Access
    • Port Forwarding
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
    • HTTP Tunnel-ing
    • DNS Tunneling
    • Chisel
    • Ligolo-NG
  • 🔑Passwords
    • Wordlist Generation
    • HTTP Applications
    • OS Login
    • Password Cracking
      • Using Hashes Directly
      • Cracking Hashes
    • SAM & System
  • 🛠️Practical Tools
    • Remote Shell
      • Alternate Reverse Shells
      • Move to Interactive Shell
    • File Transfers
      • Quick Webservers
    • CURL
    • Payloads
      • MSFVenom
      • Veil Framework
    • Crafty Executable
    • Metasploit
      • Discovery
    • IMPACKET
      • MSSQL-Client
    • Clever Alternatives
  • 🚀Privilege Escalation
    • General Info
  • ⚡Resources
    • Exploits
Powered by GitBook
On this page
  • Local Port Forwarding
  • Scenario/Goal
  • System A
  • Remote Port Forwarding
  • System B

Was this helpful?

  1. Pivoting
  2. Port Forwarding

Dynamic Port Forwarding

PreviousRemote Port ForwardingNextHTTP Tunnel-ing

Last updated 1 year ago

Was this helpful?

Dynamic Port Forwarding is the most practical SSH port forwarding of the lot. In this technique any connection made to a local port can be forwarded to any port on a remote machine through a proxy. Now the connections are not limited to just one system or port, instead any number of connections can be made through proxychains.

Local Port Forwarding

Scenario/Goal

Let there be 3 systems - A, B and C.

A -> B is possible through an SSH connection

B -> C is on the same network with access to the service running on C

A -> C There is no accessibility between the two. They could be in completely different networks or a firewall could prevent them from connecting

System A
Requirement

Level of Compromise

Root Access

Softwares

SSH

IP

192.168.1.10

System B
Requirement

Level of Compromise

Elevated Privilege with Passwords

IPs

192.168.1.20, 172.16.1.20

System C
Requirements

Level of Compromise

None

Softwares

Port no. of service to be accessed (e.g Shares on Windows)

IP

172.16.1.30

System A

sudo ssh -N -D 127.0.0.1:8080 xyz@192.168.1.20

We will be using proxychains service as a proxy to send the requests through the SSH tunnel to the targetted systems and services,

socks4 	127.0.0.1 8080 #add this line to /etc/proxychains.conf

For this example since we are going to scan of a given IP,

sudo proxychains nmap --top-ports=20 -sT -Pn 192.168.1.40

Remote Port Forwarding

Similar to the previous scenario, but lets imagine a firewall blocking access to the compromised system B. However, you have gained reverse shell from system B to system A, then the Remote Dynamic Port Forwarding comes in handy.

System B

sudo ssh -N -R 8080 xyz@192.168.1.10

We will be using proxychains service as a proxy to send the requests through the SSH tunnel to the targetted systems and services,

socks4 	127.0.0.1 8080 #add this line to /etc/proxychains.conf

For this example since we are going to scan of a given IP,

sudo proxychains nmap --top-ports=20 -sT -Pn 192.168.1.40
↗️