Local Port Forwarding
In local port forwarding, as the topic reads, any request reaching a local port can be funneled through an SSH connection on another system to finally reach a service running on a third system.
Scenario/Goal
Let there be 3 systems - A, B and C.
A -> B is possible through an SSH connection
B -> C is on the same network with access to the service running on C
A -> C There is no accessibility between the two. They could be in completely different networks or a firewall could prevent them from connecting
Level of Compromise
Root Access
Softwares
SSH
IP
192.168.1.10
Level of Compromise
Elevated Privilege with Passwords
IPs
192.168.1.20, 172.16.1.20
Level of Compromise
None
Softwares
Port no. of service to be accessed (e.g Shares on Windows)
IP
172.16.1.30
System B is a Linux System - System A
When system B is a linux system, then the following steps have to be followed in System A.
sudo ssh -N -L 0.0.0.0:445:172.16.1.30:445 [email protected]
For this example since we are accessing a share the following changes have to be made,
sudo nano /etc/samba/smb.conf
min protocol = SMB2 #add this line to the file
sudo /etc/init.d/smbd restart
Access the service using the following command,
smbclient -L 127.0.0.1 -U Administrator
System B is a Windows System - System B
When the compromized system B is a Windows system then the following steps have to be followed,
netsh interface portproxy add v4tov4 listenport=4455 listenaddress=10.11.0.22 connectport=445 connectaddress=192.168.1.110
The firewall rule has to be added for allowing access to the 4455 port,
netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=192.168.1.20 localport=4455 action=allow
Using SOCAT
This is useful especially in the case of compromising a Linux system when the credentials are unknown. However, this method comes with the obvious caveat of SOCAT being installed in the compromised system. Port forwarding can be achieved by executing the following command in the compromised system,
socat TCP-LISTEN:445,fork TCP:172.16.1.30:445
This will ensure that any packets received on 445 on the compromised system is forwarded to the 445 port on the machine that sits in the internal network.
Last updated
Was this helpful?