Local Port Forwarding

In local port forwarding, as the topic reads, any request reaching a local port can be funneled through an SSH connection on another system to finally reach a service running on a third system.

Scenario/Goal

Let there be 3 systems - A, B and C.

A -> B is possible through an SSH connection

B -> C is on the same network with access to the service running on C

A -> C There is no accessibility between the two. They could be in completely different networks or a firewall could prevent them from connecting

System B is a Linux System - System A

When system B is a linux system, then the following steps have to be followed in System A.

sudo ssh -N -L 0.0.0.0:445:172.16.1.30:445 [email protected]

For this example since we are accessing a share the following changes have to be made,

sudo nano /etc/samba/smb.conf

min protocol = SMB2 #add this line to the file

sudo /etc/init.d/smbd restart

Access the service using the following command,

smbclient -L 127.0.0.1 -U Administrator

System B is a Windows System - System B

When the compromized system B is a Windows system then the following steps have to be followed,

netsh interface portproxy add v4tov4 listenport=4455 listenaddress=10.11.0.22 connectport=445 connectaddress=192.168.1.110

The firewall rule has to be added for allowing access to the 4455 port,

netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=192.168.1.20 localport=4455 action=allow

Using SOCAT

This is useful especially in the case of compromising a Linux system when the credentials are unknown. However, this method comes with the obvious caveat of SOCAT being installed in the compromised system. Port forwarding can be achieved by executing the following command in the compromised system,

socat TCP-LISTEN:445,fork TCP:172.16.1.30:445

This will ensure that any packets received on 445 on the compromised system is forwarded to the 445 port on the machine that sits in the internal network.