Return to Main Page

Port Forwarding and Tunnelling

SSH Tunnelling

  • Flags:
    • -f Immediately send the port forward command the background
    -N Do not allow any commands to be send through the SSH session
    -L Local port forwarding
    -R Remote port forwarding
    -D Dynamic port forwarding
  • Forward ports over existing SSH session
    • Press enter and then ~C to bring up ssh console to forward ports
    • Press enter and then ~? for help menu
  • Local port forwarding
    • Send traffic to port on local machine from port on remote machine
    • ssh <username>@<ssh server> –L <local port>:<remote host>:<remote port>
  • Remote port forwarding
    • Send traffic sent to port on remote machine from local machine
    • ssh <username>@<ssh server> -R <local port>:<remote host>:<remote port>
  • Dynamic port forwarding
    • Forward open ports on victim to attacker
      • Setup:
        • Append "127.0.0.1 <local port #>" to the bottom of /etc/proxychains.conf
        • ssh <username>@<ssh server> -D <port set in /etc/proxychains.conf>
    • Once dynamic port forwarding is setup you can access the TCP connections on the remote machine by appending "proxychains" to the beginning of your commands.

    Chisel

      Set up listener port chisel server --reverse --port <port #>
      Forward port to listener chisel client <listener ip>:<chisel server port #> R:<port # to open listener on>:localhost:<port # being forwarded>

    socat

  • Syntax: socat [options] <address> <address>
    • Address format: protocol:ip:port
    Forward connection from localhost to remote host socat TCP4-LISTEN:<local port>,fork,reuseaddr TCP4:<remote host>:<remote port>

    rinetd

  • Configuration file located in /etc/rinetd.conf
    • bindaddress and bindport
      • The listening IP/port
    • connectaddress and connectport
  • Restart service after updating conf file