Remote Port Forwarding
Remote port forwarding is a technique used to redirect network traffic from a remote machine to a local machine, often to expose a local service to the remote network or bypass firewall restrictions. It is commonly used when a pentester has access to a remote machine but needs to make a local service available to the remote network or system.
In remote port forwarding, the pentester creates a tunnel between their local machine and a remote machine. The pentester binds a remote port on the compromised machine to a local port, allowing traffic to be forwarded from the remote machine to a service running on their local machine.
Techniques
SSH
## Single
ssh -R 9090:localhost:8080 rezy@10.10.10.10
# It forwards remote port 9090 to port 8080 on the local machine's localhost.
## For Pivoting
ssh -R 192.168.1.2:9090:localhost:8080 rezy@10.10.10.10
# Forwards port 9090 on the pivot host (192.168.1.2) to port 8080 on the
# local machine's localhost.
Meterpreter
meterpreter > portfwd add -R -l 9090 -p 5678 -L 10.10.10.10
This command forwards traffic from port 5678 on the target machine (with IP address 10.10.10.10) to port 9090 on the attacker's machine.
Works only if we have meterpreter shell on the pivot host.
Socat
# From Pivot Host
socat TCP4-LISTEN:6969,fork TCP4:10.10.10.10:1337
This command forwards all traffic from localhost:6969 (i.e pivot host) to 10.10.10.10:1337 (i.e attack host).
Chisel
# Attack-Host
./chisel server -p 1337
# Target-Host
./chisel client <ATTACK-HOST-IP>:1337 L:8080:127.0.0.1:8080
It forwards the attack-host's 127.0.0.1:8080 to the target-host's 127.0.0.1:8080.
plink.exe
### [[[---WINDOWS---]]]
plink.exe -R 9090:localhost:22 rezydev@10.10.10.10
This forwards remote port 9090 on the target host to port 22 (SSH) on your local attack machine.