💻
my_offsec_notes
  • Intro
  • Enumeration
    • Network Discovery
      • Arp
      • NetDiscover
      • TCPDump
    • DNS Enumeration
      • Find E-mail Addresses
      • Zone Transfer
    • Scanning
      • Nmap
        • FlaconSpy.py
        • NSE
      • AutoRecon
      • onetwopunch.sh
      • nc
      • Nikto Scan
      • Banner Grabbing
    • brute forcing the web
    • my recon cheat-sheet
      • Comman
    • Passive Enum
  • Starting web services
  • âš“Common Ports
    • TCP
      • Samba
        • Enumerating
        • Accessing
      • LDap
      • Domain (53)
      • NFS
      • MSRPC (135)
      • SMTP
      • MSRPC
      • FTP
        • BRUTE FORCING
      • KERBEROS (88)
      • POP3
      • RPC-BIND
      • SQL
        • MYSQL
          • My-SQL Root Access
          • Access
        • MS-SQL
          • Access
      • HTTP/HTTPS
        • WEB TECHNOLOGY
          • WORD-PRESS
          • DRUPAL
          • JOOMLA
          • WebDav
          • JENKINS
          • FLASK
          • PHP
          • J-BOSS
        • DIRECTORY/FILES FUZZING
        • LOGIN PAGE
        • TOMCAT
      • ORACLE (1521)
      • SSH
      • RDP (3389)
      • Redis
      • Rsync
      • Netbios (137)
      • Memcached (11211)
      • SSL (443)
      • Finger (79)
      • RPC (1024 to 5000)
    • ALL-ROUNDER
    • UDP
      • SNMP (161)
      • TFTP
  • PORT KNOCKING
  • ENUMERATING USERS
    • ENUM HASHES
  • Exploitation
    • Web Site Exploitation Vectors
      • LFI
        • Config Files
          • Linux
          • Windows
        • Some Useful
      • RFI
      • XXE
      • XSS
      • SQLi
        • NoSQL-Map
        • SQL-Map
      • SSTI
    • Accessing Target Machine
      • Windows
      • Linux
    • Exploits
  • Buffer Overflow
    • useful commands
    • Buffer Overflow Prep ("THM")
  • Creating Reverse Shells
    • Online Resources
    • Windows
    • Linux
    • Mac
    • Gifts for Web Pages
      • Scripting Languages
    • Common One liners
  • Active Directory
    • Enumeration
    • my A.D. Cheat-Sheet
    • After Getting D.C.
  • Priv-Esc
    • Windows
      • whoami /privs
      • Writable Service Executable
      • Cheat sheet
      • Unquoted Service Path
    • Linux
      • Cheat sheet
      • Cronjob
      • Docker (Group)
        • Docker GTFO
      • LXD (Group)
      • sudo+LD_PRELOAD
      • Mysql
        • MySQL (root access)
      • sudo<1.8.28
  • Break-Out Commands
    • Jailed SSH
    • Spawn a Bash shell for me
  • Password Attacks
  • PORT FORWARDING / TUNNELING
  • Post Exploitation
    • injecting Backdoors
  • Machines
    • Template
    • Hack The Box
      • Late
    • Try Hack Me
    • P.G. Grounds
    • Vuln-Hub
Powered by GitBook
On this page
  • Port forwarding / Tunneling ??
  • Local port forwarding ??
  • Remote port forwarding ??
  • Dynamic Port Forwarding ??
  • What is the difference between local and remote port forwarding?
  • COMMANDS

PORT FORWARDING / TUNNELING

Port forwarding / Tunneling ??

Tunneling, also known as "port forwarding is Simplest type of traffic redirection, consists on accepting traffic from one address and port port and redirecting it to another address and port.

It can be useful to bypass address and port based filters. Rinetd is a linux tool to do it.

Local port forwarding ??

Creates an encrypted tunnel through two machines and have traffic redirected to a final host and port, similar to port forwarding This is useful when you are trying to connect from your machine to a destination using a gateway.


ssh gateway_host -L local_port:remote_host:remote_port

Remote port forwarding ??

It creates a tunnel from the target machine to your local machine, which allows connecting to an arbitrary port on the target.

Useful if the target is in a non-routable network from your local machine.

This is useful when you are trying to connect to a host, behind a firewall that blocks incoming connections.

This technique works as the previous one, but the connection is started from the gateway.


ssh <gateway> -R <remote port to bind>:<local host>:<local port>

Dynamic Port Forwarding ??

Allows to create a tunnel from the target to your machine, and have the traffic routed to any host through target.

You can configure a local port to forward traffic to multiple destinations passing through a single host.

It is similar to local port forwarding but allows multiple destinations.

It uses the SOCKS protocol.


ssh -D local_port remote_add

The connection of the previous command is established at port 22 of remote addr.

What is the difference between local and remote port forwarding?

Local port forwarding: connections from the SSH client are forwarded via the SSH server, then to a destination server.

Remote port forwarding: connections from the SSH server are forwarded via the SSH client, then to a destination server.

COMMANDS



>>> ssh -L   8111:127.0.0.1:8111   -i   id_rsa   sys-internal@$IP

====================SSH local port forwarding
>>> ssh user@ssh_server -L [bind_address:]local_port:destination_host:destination_hostport
>>> ssh noraj@192.168.2.105 -L 127.0.0.1:32000:10.42.42.2:80 -N


====================SSH reverse remote port forwarding
>>> ssh user@ssh_server -R [bind_address:]remote_port:destination_host:destination_hostport
>>> ssh noraj@192.168.2.105 -R 192.168.2.105:15000:127.0.0.1:9999


====================SSH dynamic port forwarding
>>> ssh user@ssh_server -D [bind_address:]local_port
>>> ssh noraj@192.168.2.105 -D 127.0.0.1:12000 -N

====================Port Forwarding using Metasploit
>>> use auxiliary/scanner/ssh/ssh_login
>>> set rhosts 192.168.1.108
>>> set username raj
>>> set password 123
>>> exploit
>>> sessions -u 1
>>> sessions 2
>>> netstat -antp
>>> portfwd add -l <on_port_we_want_it> -p <target_port> -r 127.0.0.1

====================Hacking articles Uses this  (SSH): 
>>> ssh -L <Our_port>:localhost:<Target_Port> -N -f -l raj <target_IP>

====================Port Forwarding using Socat
On target machine : 
>>> socat TCP-LISTEN:<our_port>,fork,reuseaddr tcp:127.0.0.1:<target_port> &
NOTE : now visit the webpage but use the target IP now our local host.


====================Tunneling Through Tools===================================
======SShUTTLE : 
>>> apt install sshuttle
A connection is created remotely with the Ubuntu (raj@192.168.1.108) and then the address of Metasploitable 2(192.168.226.129) using Sshuttle.
>>> sshuttle -r raj@<target_1_ip> <target_2_ip>
Note : now when you put the Metasploitable 2 IP address in your Kali Linux’s browser, you will able to access the Metasploitable 2 on port 80.


======Chisel : 
>>> git clone https://github.com/jpillora/chisel.git
>>> apt install golang
>>> cd chisel/
>>> go build -ldflags="-s -w"
====Usage :
on Kali : 
>>> ./chisel server -p 8000 --reverse
on Target 
>>> ./chisel client <OUR_IP>:8000 R:<our_port>:192.168.226.129:80
now navigate to http://127.0.0.1:5000
===========================================================================
PreviousPassword AttacksNextPost Exploitation

Last updated 2 years ago