Port Forwarding/Redirection

rinetd

• a simple port forwarding tool

List all port forwards for an active ssh session

~#

meterpreter port forwarding

portfwd add -l <attacker port> -p <victim port> -r <victim ip>

e.g.

portfwd add -l 3306 -p 3306 -r 192.168.1.101

• now, when you run netstat -antup you will see the port available on to your local attacking machine

• In this case the mysql service (tcp 3306) will be accessible on your loopback (127.0.0.1)

port forwarding from an ssh session

type: ~C in

-L <localhost destination port>:<source ip>:<source port>

then you can access it with either nc, curl, etc to localhost:<destination port>

or can do a dynamic port forward with:

-D <destination port>

in the ssh session

and then on local machine run:

proxychains curl <destination ip>

Reverse port forwarding from server to client from an ssh session

~C

-R 127.0.0.1:<source port>:127.0.0.1:<destination port>

# Windows

plink.exe -l root -R 445:127.0.0.1:445 YOURIPADDRESS

# Metasploit

portfwd add -l 9090 -p 9090 -r TARGETIP

# Reverse ssh tunnel, port forwarding 8090 from target to us:

ssh -R 8090:localhost:8090 user@ip

# Local port forward, forward local 8090 to target:

ssh -L 8090:localhost:8090 user@ip

SSH Pivoting

# Local port forwarding

# Local port opened on 127.0.0.1 (bind)

# -N == no command executed (only ssh tunnel)

ssh user@pivoting_machine -L [bind_address:]local_port:destination_host:destination_hostport -N-N

Linux

Local port forwarding

ssh <gateway> -L <local_port_to_listen_to>:<remote_host>:<remote_port>

Remote port forwarding

ssh <gateway> -R <remote_port>:<local_host>:<local_port>

Dynamic port fowarding

ssh -D <local proxy port> -p <remote port> <target>