Port Forwarding/Redirection

rinetd

List all port forwards for an active ssh session

meterpreter port forwarding

portfwd add -l <attacker port> -p <victim port> -r <victim ip>

e.g.

portfwd add -l 3306 -p 3306 -r 192.168.1.101

now, when you run netstat -antup you will see the port available on to your local attacking machine
In this case the mysql service (tcp 3306) will be accessible on your loopback (127.0.0.1)

port forwarding from an ssh session

type: ~C in

-L <localhost destination port>:<source ip>:<source port>

then you can access it with either nc, curl, etc to localhost:<destination port>

or can do a dynamic port forward with:

-D <destination port>

in the ssh session

and then on local machine run:

proxychains curl <destination ip>

Reverse port forwarding from server to client from an ssh session

-R 127.0.0.1:<source port>:127.0.0.1:<destination port>

# Windows

plink.exe -l root -R 445:127.0.0.1:445 YOURIPADDRESS

# Metasploit

portfwd add -l 9090 -p 9090 -r TARGETIP

# Reverse ssh tunnel, port forwarding 8090 from target to us:

ssh -R 8090:localhost:8090 user@ip

# Local port forward, forward local 8090 to target:

ssh -L 8090:localhost:8090 user@ip

SSH Pivoting

# Local port forwarding

# Local port opened on 127.0.0.1 (bind)

# -N == no command executed (only ssh tunnel)

ssh user@pivoting_machine -L [bind_address:]local_port:destination_host:destination_hostport -N-N

Linux

Local port forwarding

ssh <gateway> -L <local_port_to_listen_to>:<remote_host>:<remote_port>

Remote port forwarding

ssh <gateway> -R <remote_port>:<local_host>:<local_port>

Dynamic port fowarding

ssh -D <local proxy port> -p <remote port> <target>

Last updated 1 year ago