Port forwarding is a key activity in any network security testing. Once we get an initial foothold into the victim network, our next stage is to make lateral movement inside the victim’s internal network, which is not directly accessible from outside the network. To access the internal network attacker pivot to a compromised machine and hence it is called pivoting. An attacker will use the compromised machine as pivoting point and break into other internal machines.
Fig. DMZ and internal network (LAN)
To access the internal network compromised machine should be connected to the internal network. Let us suppose the attacker has access to machine ABC, then this machine should have interfaces like eth0, eth1(one of which IS for public communication and another for internal communication). One can check Ethernet interfaces with network commands (windows use ipconfig /all, Linux uses ifconfig).
Fig.Multiple Ethernet Interfaces
There are few techniques to access the internal networks we will discuss some of them here. According to port open on machine and firewall configuration rule set for inbound and out-band techniques might differ.
We will discuss some most used techniques as mentioned below:
Fig. Pivoting to Internal Network Using Metasploit
In this section we will be discussing some techniques with an inbuilt tools in Metasploit Framework:
We can use Meterpreter built-in command “portfwd” with some arguments. Basic Command will be like: –
meterpreter ]portfwd add –l [pivoting port] –p [final port] –r [target host IP]
Hence
Autoroute is a built-in command in Meterpreter used to route network traffic.
metasploit>run autoroute -s [ip_block of target machine]
use auxiliary/server/socks4a
set SRVPORT [port number]
run
We are using the Proxychain tool built-in kali OS for proxying network from host to host.
First background Meterpreter session (with “background” command).
route add [IP_victim] [netmask] [meterpreter session no.]
use auxiliary/server/socks4a
set SRVPORT [port number]
run
echo “socks4 127.0.0.1 1080” > /etc/proxychains.conf
Now all the traffic will be routed to target machine through proxychain.
Fig.SSH tunneling
To use the below techniques port 22 should open on a compromised machine and out-band and the inbound connection is allowed.
In this section, we will be discussing 3 types of tunneling.
To make a connection to the destination host port it serves the attacker machine as ssh server and a compromised machine as an ssh client. Local port forwarding allows forwarding port of local machine to a compromised machine, which is then get connected destination machine having only internal access.
Here is example command:
ssh -L [LOCAL_PORT]:[DESTINATION_IP]:[DESTINATION_PORT][USER@]SSH_SERVER_IP]
To make a connection with the destination host, the compromised machine act as ssh server and tunnel traffic to a destination host. Hence attacker acts as ssh client and connect to the destination through ssh server hence which is a compromised machine.
Here is example command:
ssh -R [REMOTE]:[REMOTE_PORT]:[DESTINATION]:[DESTINATION_PORT] [USER@]SSH_SERVER]
This is easiest among other techniques and less complex to understand. Also, it provides communication across a range of ports on the destination port. This compromised machine will act as ssh server and be able to create a tunnel to the destination port. Attacker machine will act as ssh client and by connecting to ssh server which is compromised machine, in this case, can access destination host.
Here is an example command:
ssh -D [LOCAL_IP]:[LOCAL_PORT] [USER]@[SSH_SERVER]
Here we have discussed some of the most used techniques, there are lots of techniques but some are scenario specific so we will not discuss them here. But please check out the below references for better understanding and to learn another way of Pivoting and Port-forwarding.
References:
Author,
Abhijit Karande
Attack &PenTest Team
Varutra Consulting Pvt. Ltd.
In today's interconnected digital world, secure authentication is paramount to safeguarding user data and ensuring…
Introduction The manufacturing industry is rapidly evolving with Industry 4.0 technologies like IoT, Big data,…
Introduction In a rapidly evolving business landscape, cybersecurity is paramount amidst frequent cyber-attacks, emphasizing the…
Introduction to Current Cybersecurity Trends Cybersecurity is an ever-evolving landscape, with new threats and vulnerabilities…
Introduction In an era of unprecedented digital transformation, securing sensitive data and communications has never…
Introduction As organizations and individuals rely increasingly on digital systems to communicate and share sensitive…