Port Forwarding – Pivoting and Tunneling
Port forwarding is a key activity in any network security testing. Once we get an initial foothold into the victim network, our next stage is to make lateral movement inside the victim’s internal network, which is not directly accessible from outside the network. To access the internal network attacker pivot to a compromised machine and hence it is called pivoting. An attacker will use the compromised machine as pivoting point and break into other internal machines.
Fig. DMZ and internal network (LAN)
To access the internal network compromised machine should be connected to the internal network. Let us suppose the attacker has access to machine ABC, then this machine should have interfaces like eth0, eth1(one of which IS for public communication and another for internal communication). One can check Ethernet interfaces with network commands (windows use ipconfig /all, Linux uses ifconfig).
Fig.Multiple Ethernet Interfaces
There are few techniques to access the internal networks we will discuss some of them here. According to port open on machine and firewall configuration rule set for inbound and out-band techniques might differ.
We will discuss some most used techniques as mentioned below:
- Routing with Metasploit.
- SSH Tunneling.
- Routing with Metasploit: To use the below-mentioned techniques we first need to have an active Meterpreter session on the machine having internal and external connections.
Fig. Pivoting to Internal Network Using Metasploit
In this section we will be discussing some techniques with an inbuilt tools in Metasploit Framework:
We can use Meterpreter built-in command “portfwd” with some arguments. Basic Command will be like: –
meterpreter ]portfwd add –l [pivoting port] –p [final port] –r [target host IP]
- Add: for adding route (also we have delete, List, Flush)
- l: This is a local port that will listen to the attacking (our)machine. Connections to this port will be forwarded to the remote system.
- p: The port to which connections will be forward to (target machine).
- r: The IP address of the final target machine (compromised machine).
Autoroute is a built-in command in Meterpreter used to route network traffic.
- Background Meterpreter session and run autoroute command as below.
metasploit>run autoroute -s [ip_block of target machine]
- Use Socks proxy Module from Metasploit and Set the port to listen on which will open the listening port on our machine
set SRVPORT [port number]
- Now you can directly contact the target machine with that opened port on our machine.
We are using the Proxychain tool built-in kali OS for proxying network from host to host.
First background Meterpreter session (with “background” command).
- Use route command from Metasploit console as below which will add a route.
route add [IP_victim] [netmask] [meterpreter session no.]
- Run metasploitSocks_proxy module and set up a server and set port to anything you want
set SRVPORT [port number]
- Now we need to set a rule to route all traffic through Socks proxy. The below command will add that rule.
echo “socks4 127.0.0.1 1080” > /etc/proxychains.conf
Now all the traffic will be routed to target machine through proxychain.
- SSH tunneling: In this Method Service ports are relayed by creating encrypted SSH connections Between server and client machine. This is one of the safest methods and doesn’t require any separate tool and is also applicable for windows as well Linux.
To use the below techniques port 22 should open on a compromised machine and out-band and the inbound connection is allowed.
In this section, we will be discussing 3 types of tunneling.
- Local Port Forwarding
- Remote Port Forwarding
- Dynamic Port forwarding
- Local Port Forwarding:
To make a connection to the destination host port it serves the attacker machine as ssh server and a compromised machine as an ssh client. Local port forwarding allows forwarding port of local machine to a compromised machine, which is then get connected destination machine having only internal access.
Here is example command:
ssh -L [LOCAL_PORT]:[DESTINATION_IP]:[DESTINATION_PORT][USER@]SSH_SERVER_IP]
- Remote Port Forwarding:
To make a connection with the destination host, the compromised machine act as ssh server and tunnel traffic to a destination host. Hence attacker acts as ssh client and connect to the destination through ssh server hence which is a compromised machine.
Here is example command:
ssh -R [REMOTE]:[REMOTE_PORT]:[DESTINATION]:[DESTINATION_PORT] [USER@]SSH_SERVER]
- Dynamic Port Forwarding:
This is easiest among other techniques and less complex to understand. Also, it provides communication across a range of ports on the destination port. This compromised machine will act as ssh server and be able to create a tunnel to the destination port. Attacker machine will act as ssh client and by connecting to ssh server which is compromised machine, in this case, can access destination host.
Here is an example command:
ssh -D [LOCAL_IP]:[LOCAL_PORT] [USER]@[SSH_SERVER]
Here we have discussed some of the most used techniques, there are lots of techniques but some are scenario specific so we will not discuss them here. But please check out the below references for better understanding and to learn another way of Pivoting and Port-forwarding.
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resou rces/Network%20Pivoting%20Techniques.md
Attack &PenTest Team
Varutra Consulting Pvt. Ltd.