Local Port Forwarding
In local port forwarding, as the topic reads, any request reaching a local port can be funneled through an SSH connection on another system to finally reach a service running on a third system.
Scenario/Goal
Let there be 3 systems - A, B and C.
A -> B is possible through an SSH connection
B -> C is on the same network with access to the service running on C
A -> C There is no accessibility between the two. They could be in completely different networks or a firewall could prevent them from connecting
| System A | Requirement |
|---|---|
Level of Compromise | Root Access |
Softwares | SSH |
IP | 192.168.1.10 |
| System B | Requirement |
|---|---|
Level of Compromise | Elevated Privilege with Passwords |
IPs | 192.168.1.20, 172.16.1.20 |
| System C | Requirements |
|---|---|
Level of Compromise | None |
Softwares | Port no. of service to be accessed (e.g Shares on Windows) |
IP | 172.16.1.30 |
System B is a Linux System - System A
When system B is a linux system, then the following steps have to be followed in System A.
For this example since we are accessing a share the following changes have to be made,
Access the service using the following command,
System B is a Windows System - System B
When the compromized system B is a Windows system then the following steps have to be followed,
The firewall rule has to be added for allowing access to the 4455 port,
For this to work, the IP Helper Service has to be running and IPV6 has to be enabled.
Using SOCAT
This is useful especially in the case of compromising a Linux system when the credentials are unknown. However, this method comes with the obvious caveat of SOCAT being installed in the compromised system. Port forwarding can be achieved by executing the following command in the compromised system,
This will ensure that any packets received on 445 on the compromised system is forwarded to the 445 port on the machine that sits in the internal network.
Last updated
