Local Port Forwarding

PreviousPort Forwarding NextRemote Port Forwarding

Last updated 1 year ago

Was this helpful?

Local Port Forwarding

In local port forwarding, as the topic reads, any request reaching a local port can be funneled through an SSH connection on another system to finally reach a service running on a third system.

Scenario/Goal

Let there be 3 systems - A, B and C.

A -> B is possible through an SSH connection

B -> C is on the same network with access to the service running on C

A -> C There is no accessibility between the two. They could be in completely different networks or a firewall could prevent them from connecting

System A

Requirement

Level of Compromise

Root Access

Softwares

SSH

192.168.1.10

System B

Requirement

Level of Compromise

Elevated Privilege with Passwords

IPs

192.168.1.20, 172.16.1.20

System C

Requirements

Level of Compromise

None

Softwares

Port no. of service to be accessed (e.g Shares on Windows)

172.16.1.30

System B is a Linux System - System A

When system B is a linux system, then the following steps have to be followed in System A.

sudo ssh -N -L 0.0.0.0:445:172.16.1.30:445 student@192.168.1.20

For this example since we are accessing a share the following changes have to be made,

sudo nano /etc/samba/smb.conf

min protocol = SMB2 #add this line to the file

sudo /etc/init.d/smbd restart

Access the service using the following command,

smbclient -L 127.0.0.1 -U Administrator

System B is a Windows System - System B

When the compromized system B is a Windows system then the following steps have to be followed,

netsh interface portproxy add v4tov4 listenport=4455 listenaddress=10.11.0.22 connectport=445 connectaddress=192.168.1.110

The firewall rule has to be added for allowing access to the 4455 port,

netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=192.168.1.20 localport=4455 action=allow

For this to work, the IP Helper Service has to be running and IPV6 has to be enabled.

Using SOCAT

This is useful especially in the case of compromising a Linux system when the credentials are unknown. However, this method comes with the obvious caveat of SOCAT being installed in the compromised system. Port forwarding can be achieved by executing the following command in the compromised system,

socat TCP-LISTEN:445,fork TCP:172.16.1.30:445

This will ensure that any packets received on 445 on the compromised system is forwarded to the 445 port on the machine that sits in the internal network.

PreviousPort Forwarding NextRemote Port Forwarding

Last updated 1 year ago

Was this helpful?

In local port forwarding, as the topic reads, any request reaching a local port can be funneled through an SSH connection on another system to finally reach a service running on a third system.

Scenario/Goal

Let there be 3 systems - A, B and C.

A -> B is possible through an SSH connection

B -> C is on the same network with access to the service running on C

A -> C There is no accessibility between the two. They could be in completely different networks or a firewall could prevent them from connecting

System A

Requirement

Level of Compromise

Root Access

Softwares

SSH

192.168.1.10

System B

Requirement

Level of Compromise

Elevated Privilege with Passwords

IPs

192.168.1.20, 172.16.1.20

System C

Requirements

Level of Compromise

None

Softwares

Port no. of service to be accessed (e.g Shares on Windows)

172.16.1.30

System B is a Linux System - System A

When system B is a linux system, then the following steps have to be followed in System A.

sudo ssh -N -L 0.0.0.0:445:172.16.1.30:445 student@192.168.1.20

For this example since we are accessing a share the following changes have to be made,

sudo nano /etc/samba/smb.conf

min protocol = SMB2 #add this line to the file

sudo /etc/init.d/smbd restart

Access the service using the following command,

smbclient -L 127.0.0.1 -U Administrator

System B is a Windows System - System B

When the compromized system B is a Windows system then the following steps have to be followed,

netsh interface portproxy add v4tov4 listenport=4455 listenaddress=10.11.0.22 connectport=445 connectaddress=192.168.1.110

The firewall rule has to be added for allowing access to the 4455 port,

netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=192.168.1.20 localport=4455 action=allow

For this to work, the IP Helper Service has to be running and IPV6 has to be enabled.

Using SOCAT

socat TCP-LISTEN:445,fork TCP:172.16.1.30:445

This will ensure that any packets received on 445 on the compromised system is forwarded to the 445 port on the machine that sits in the internal network.