💾
👁️
infosec stuff
infosec stuffwriteups
infosec stuff
infosec stuffwriteups
  • infosec stuff
  • Archive
    • Kerberos
  • Cheatsheet
    • Mimikatz
    • Rubeus
  • Initial Access
    • Passwords
    • Payloads
    • Recon-AssetDiscovery
  • Linux
    • Linux Enumeration
    • Command Cheatsheet
      • TAR
    • Privilege Escalation
      • Cron Jobs
      • Kernel Exploit
      • SUID
      • Sudo
      • Weak File Permission
  • Physical
    • Basics
  • Tools
    • Impacket
    • Msfvenom
    • psexec
  • Uncategorized
    • Alternate Data Stream
    • Check applocker rules/policy
    • UACme
    • Data Exfilteration
    • Port Forwarding
    • WebDAV Exploitation
    • WinRM
    • winexe
  • Windows
    • Windows Enumeration
    • Commands
      • net
      • reg
      • sc
    • Evasion
      • Query Installed Antivirus
    • Local Privilege Escalation
      • Automated Tools
      • Enterprise Application
      • Insecure GUI Apps
      • Kernel Exploitation
      • Passwords
      • Potato
      • Registry Exploits
      • Scheduled Tasks
      • Service Exploits
      • Startup Apps
      • Vulnerable Software
      • Windows Privileges
    • Persistence
      • Adding Privileged Users
      • Backdoor Files
      • Existing Services
      • Login Screen (RDP)
      • Logon Triggered
      • Scheduled Tasks
      • Services
    • Powershell
      • Cheatsheet
      • Detections & Bypass
    • System Programming
      • Fundamentals
    • Windows Internals
      • Process & Jobs
        • Fundamentals
        • Process Internals
      • Security
        • Access Token
        • Elevation
        • Integrity Levels
        • Privilege
        • SID
        • Security Descriptor
        • User Account Control
      • System Architecture
        • Architecture Overview
        • Operating System Model
      • Uncategorized
        • DPAPI
        • LocalAccountTokenFilterPolicy
        • Privileges
        • SID
        • accesschk.exe
        • WMI
  • Active Directory
    • AD Concepts
      • Authentication
      • Authorization
      • Basics
      • Computers
      • Credentials
      • Database
      • Group Policy
      • Groups
      • Kerberos
      • Logon Types
      • NetNTLM
      • Services
      • Trusts
      • Users
    • Credential Dumping
      • Credential Manager
      • DC Sync
      • Domain Controller
      • LAPS
      • LSASS
      • Local Credentials
    • Domain Enumeration
      • CMD
      • Credential Injection
      • Defence
      • Management Console
      • Sharphound-BloodHound
      • Powershell
        • ACLs
        • Computers
        • Domain
        • Forest
        • GPOs
        • Groups
        • Organisational Unit
        • Shares and File Servers
        • Trusts
        • Powerview
        • Users
    • Exploitation
      • ACLs
    • Initial Foothold
      • ASREPRoast
      • Kerberos
    • Lateral Movement and Pivoting
      • Abusing User Behaviour
      • Kerberos
      • NTLM
      • PSEXEC
      • Remote Windows Service
      • Schedule Tasks
      • WMI-CIM
      • WimRM (PowerShell Remoting)
    • Persistence
      • ACLs
      • Custom SSP
      • DSRM
      • Diamond Ticket
      • Golden Certificates
      • Golden Tickets
      • SID History
      • Silver Tickets
      • Skeleton Key
    • Privilege Escalation
      • Constrained Delegation
      • DNSAdmins
      • Kerberoast
      • Unconstrained Delegation
    • Protocols
      • MSRPC
      • SMB
      • WinRM
Powered by GitBook
On this page
  • SSH
  • Socat
  • SOCKS Proxy
Edit on GitHub
  1. Uncategorized

Port Forwarding

SSH

Local Port Forward

  • SSH Client listens for a connection, on a specific port

  • When SSH Client recieves a connection, it tunnels the connection to the SSH Server which connects to the configured destination port.

  • Can be used to connect to Internal resource from the outside.

ssh -L [Client_IP]:<Client_Port>:<Remote_IP>:<Remote_Port> <server/IP>
# By default Client_IP binds to localhost

Example:

ssh -L 0.0.0.0:90:192.168.10.12:80 192.168.10.87

  • Opens up port on 0.0.0.0 on port 90 on SSH Client which when accessed forwards the connection to 192.168.10.12 on port 80 which is only accessible via 192.168.10.87

Remote Port Forward

  • SSH Server listens for a connection on a configured port.

  • When the port receives the connection it forwards the connection to the SSH Client machine on the configured destination port

  • Can be used to expose Client localhost to the public if SSH Server is available on public internet

ssh -R [Server_IP]:<Server_Port>:<Client_IP><Client_Port> <server/IP>

Example:

ssh -R 0.0.0.0:8080:localhost:80 myserver.com

  • Opens a port 8080 on myserver.com which forwards the incoming connection the SSH Client's localhost on port 80

Socat

  • Useful when SSH is not available.

  • Does not come preinstalled. Need to transfer socat binary to host.

socat TCP4-LISTEN:1234,fork TCP4:1.1.1.1:4321

  • Opens up port 1234 on the host machine which forwards all traffic to 1.1.1.1 on port 4321.

  • Similar to local port forwarding. Can be used to access remote servers.

SOCKS Proxy

  • Can port forward all port dynamically

SSH

ssh -D [Local_ip]:<Local_Port> myserver.com
# Opens port on SSH Client machine
ssh -R <Remote_Port> myserver.com
# Opens port on SSH Server machine

Example:

ssh -D 9090 myserver.com

  • Opens up a dynamic port 9090 on localhost.

  • We can use proxy chains to use our tools with this forwarded port.

  • We can edit /etc/proxychains.conf to configure the port.

[proxyList]
socks4 127.0.0.1 9090

  • Now we can execute any program through proxy using proxychains command

proxychains curl http://remotehost.com
# will forward the http request to remotehost.com via socks proxy on localhost port 9090

Last updated 6 months ago