0Sec
0Sec
0Sec
  • Spider Security
  • offensive security
    • OSCP
      • WriteUps
        • PortSwigger
          • SQL injection labs
          • Exploiting XXE to retrieve data by repurposing a local DTD
        • PentesterLabs
          • Recon
        • HTB
          • BoardLight
          • Lame
        • THM
          • Walkthroughs
            • Attacktive Directory
            • LineKernel
            • Day 1 — Linux PrivEsc
          • CTF
            • Page
            • BLUE
            • mKingdom
            • RazorBlack
      • Module 1 (General Info)
      • Module 2 (Getting Kali)
        • Leason 1 - Booting Up Kali Linux
        • Leason 2 - The Kali Menu
        • Leason 4 - Finding Your Way Around Kali
        • Leason 5 - Managing Kali Linux Services
      • Module 3 (CLI)
        • The Bash Environment
        • Piping and Redirection
        • Text Searching and Manipulation
          • Regular
        • Managing Processes
        • File and Command Monitoring
      • Module 4 (Practical Tools)
        • Netcat
        • Socat
        • PowerShell & Powercat
        • Wireshark
        • Tcpdump
      • Module 5 (Bash Script)
      • Module 6 (Passive Info Gathering)
      • Module 7 ( Active Info Gathering)
      • Module 8 (Vulnerability Scanning)
      • Module 9 (Web Application Attacks)
        • Cross Site Scripting (XSS)
        • local file inclusion & remote file inclusion
          • Exploit LFI
        • SQL injection
          • Blind Boolean based SQL & Evasion Techniques
          • SQL
          • Login bypass List
        • File upload
        • Remote code execution
      • Module 10 ( Intro Buffer OverFlow)
      • Module 11 (Widows Buffer OverFlow)
        • Buffer OverFlow Challange
      • Module 12 (Linux Buffer OverFlows)
      • Module 13 (Clint Side Attacks)
      • Module 14 (Locating Public Exploits)
      • Module 15 (FIxing Exploits)
      • Module 16 (File Transfers)
      • Module 17 (Antivirus Evasion)
        • Windows
      • Module 18 (Privllege Escalation)
        • Windows
          • Checklist
          • THM - Windows PrivEsc Arena
        • Linux
          • Checklist
          • Linux PrivEsc Arena
      • Module 19 (Password Attacks)
      • Module 20 (Port Redirection and Tunneling)
      • Module 21 (Active Directory Attacks)
        • adbasics_v1.2
      • Module 22 (Metasploit Framwork)
      • Module 23 (Powershell Empire)
      • Course Materials
  • SANS
  • AppSec
    • EWAPTX
      • PHP Type Juggling
      • CSP
      • SqlI
        • Information_schema
        • WriteUps
      • SSTI & CSTI
      • XSS_HTML Injection
      • CORS Attack
      • Clickjacking
      • Open redirect
      • JSONP
      • LFI && LFD && RFI
      • HTTP Host header attacks
      • CSRF
      • XML injection
      • XML external entity (XXE) injection
      • APIs & JWT attacks
      • Insecure Deserialization
      • OAUTH 2.0 authentication vulnerabilities
      • Host Header Injection
      • Insecure Direct Object References (IDOR)
  • Reverse Eng & Malware dev
    • Internals
      • Windows internals
        • Topics in GitHub
        • Chapter 1 Concepts and tools
        • Chapter 2. System architecture
        • Chapter 3. Processes and jobs
        • Chapter 4. Threads
        • Chapter 5. Memory management
        • Chapter 6. I/O system
        • Chapter 7. Security
      • Linux internals ⇒ Soon
      • MacOs X internals ⇒ Soon
  • cheat sheet
    • Pentest_Notes
    • Linux BOF & Wireless Attacks
    • WriteUps
Powered by GitBook
On this page
  • Port Redirection
  • Tunnelling
  • SSH Local Port Forwarding
  • SSH Remote Port Forwarding (reverse tunneling)
  • SSH Dynamic Port Forwarding
  • Bash
  • Resources
  1. offensive security
  2. OSCP

Module 20 (Port Redirection and Tunneling)

The concept behind Port Forwarding

Port Redirection

  • Port redirection is the process of redirecting traffic from one port on a local machine to another port on the same machine or on a remote machine.

  • For example, you could use port redirection to redirect traffic from port 80 (the HTTP port) to port 8080 (a non-standard port).

  • This would allow you to access a web application that is running on port 8080 from a remote machine, even if the firewall on the remote machine blocks traffic to port 8080.

  • Port redirection can be implemented using the built-in features of a firewall or router.

  • For example, many firewalls and routers allow you to create port-forwarding rules that redirect traffic from one port to another. You can also use a third-party software application to implement port redirection.

  • For example, the PuTTY SSH client includes a port forwarding feature that allows you to redirect traffic from a local port to a remote port.

Tunnelling

Tunnelling is the process of encapsulating data from one network protocol within another network protocol. For example, you could use tunnelling to encapsulate TCP traffic within UDP traffic. This would allow you to bypass a firewall that blocks TCP traffic.

Tunneling can be implemented using a variety of protocols, including:

  • Secure Shell (SSH)

  • Point-to-Point Tunneling Protocol (PPTP)

  • Layer 2 Tunneling Protocol (L2TP)

  • Virtual Private Network (VPN)

SSH tunnelling is a popular tunneling technique that is often used to securely connect to remote machines. SSH tunnelling can be used to access remote applications, connect to a remote network, or encrypt traffic between two machines.

PPTP and L2TP are tunneling protocols that are often used to create virtual private networks (VPNs). VPNs allow you to create a secure connection between your computer and a remote network, even if you are connected to the internet through an untrusted network.

Attack Simulation

  • SSH Tunneling

    • SSH Remote Port Forwarding

    • SSH Dynamic Port Forwarding

    • SSH Local Port Forwarding

SSH Local Port Forwarding

ssh -N -L [bind_address:]port:host:hostport [username@address]
sudo ssh -L 127.0.0.1:80:192.168.1.19:80 victim@192.168.1.10

SSH Remote Port Forwarding (reverse tunneling)

ssh -N -R [bind_address:]port:host:hostport [username@address]
sudo ssh -R  8080:127.0.0.1:80 attacker@192.168.1.8 

SSH Dynamic Port Forwarding

ssh -D 8080 vps@112.125.1.54

Bash

# On the jump server connect the port 3333 to the 5985
mknod backpipe p;
nc -nvlp 1111 0>backpip  | nc -nv <ip> 22 1>backpip

# On InternalA accessible from Jump and can access InternalB
## Expose port 3333 and connect it to the winrm port of InternalB
exec 3<>/dev/tcp/internalB/5985
exec 4<>/dev/tcp/Jump/3333
cat <&3 >&4 &
cat <&4 >&3 &

# From the host, you can now access InternalB from the Jump server
evil-winrm -u username -i Jump

Resources

PreviousModule 19 (Password Attacks)NextModule 21 (Active Directory Attacks)

Last updated 10 months ago

Tunneling and Port ForwardingHackTricks
Logo