Port Forwarding Techniques

Some Port Forwarding learnt from OSCP

socat

socat -ddd TCP-LISTEN:<EXTERNAL PORT>,fork TCP:<INTERNAL IP>:<INTERNAL PORT>

SSH

Local Port Forwarding

ssh -N -L 0.0.0.0:<EXTERNAL PORT TO BIND>:<2nd INTERNAL MACHINE IP>:<2nd INTERNAL MACHINE PORT> <USERNAME CONNECTING TO THE FIRST MACHINE>@<IP OF 1st MACHINE>

Dynamic Port Forwarding

ssh -N -D 0.0.0.0:<EXTERNAL PORT TO BIND> <USERNAME CONNECTING TO THE FIRST MACHINE@<IP OF 1st MACHINE>

Remote Port Forwarding

ssh -N -R 127.0.0.1:<EXTERNAL PORT TO BIND>:<2nd INTERNAL MACHINE IP>:<2nd INTERNAL MACHINE PORT> ranay@<MY IP>

Remote Dynamic Port Forwarding

Note: OpenSSH bundled with Windows version must be higher than 7.6

ssh -N -R <EXTERNAL PORT TO BIND> ranay@<MY IP>

Accessing Services using proxychains

proxychains smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234

Plink.exe Port Forwarding

C:\Windows\Temp\plink.exe -ssh -l ranay -pw <YOUR PASSWORD HERE> -R 127.0.0.1:<EXTERNAL PORT>:<INTERNAL IP>:<INTERNAL PORT> <MY IP>

netsh Port Forwarding (Requires Admin rights)

netsh interface portproxy add v4tov4 listenport=<EXTERNAL PORT> listenaddress=<EXTERNAL IP> connectport=<INTERNAL PORT> connectaddress=<INTERNAL IP>

netstat -anp TCP | find "2222"

netsh interface portproxy show all

If firewall is blocking,

netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=<EXTERNAL IP> localport=<EXTERNAL PORT> action=allow

Ncat SOCKS Proxy

ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:<PORT GIVEN IN THE TERMINAL> %h %p' <Internal Username>@<Internal IP>

Starting Ligolo-Ng

Proxy

./ligolo-linux-proxy/proxy -selfcert -laddr 0.0.0.0:443

Agent

./agent -connect 192.168.45.192:443 -ignore-cert

Access to agent's local ports (127.0.0.1)

GitHub - nicocha30/ligolo-ng: An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.GitHub

They have this special IP (240.0.0.1).

$ sudo ip route add 240.0.0.1/32 dev ligolo
$ nmap 240.0.0.1 -sV
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-30 22:17 CET
Nmap scan report for 240.0.0.1
Host is up (0.023s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
8000/tcp open http SimpleHTTPServer 0.6 (Python 3.9.2)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.16 seconds

PreviousChecklist NextTunnel techniques

Last updated 1 year ago

hashtagsocat

hashtagSSH

hashtagLocal Port Forwarding

hashtagDynamic Port Forwarding

hashtagRemote Port Forwarding

hashtagRemote Dynamic Port Forwarding

hashtagAccessing Services using proxychains

hashtagPlink.exe Port Forwarding

hashtagnetsh Port Forwarding (Requires Admin rights)

hashtagNcat SOCKS Proxy

hashtagStarting Ligolo-Ng

hashtagProxy

hashtagAgent

hashtagAccess to agent's local ports (127.0.0.1)

socat

SSH

Local Port Forwarding

Dynamic Port Forwarding

Remote Port Forwarding

Remote Dynamic Port Forwarding

Accessing Services using proxychains

Plink.exe Port Forwarding

netsh Port Forwarding (Requires Admin rights)

Ncat SOCKS Proxy

Starting Ligolo-Ng

Proxy

Agent

Access to agent's local ports (127.0.0.1)