Backlink: reference-notes-readme

Port Forwarding on Windows

plink.exe

We can use plink.exe to connect via SSH (-ssh) to our host machine (10.10.14.31), as a specified user (-l), with a specified password (-pw) and create a remote port forward (-R) of port 1234 (10.10.14.31:1234) to the CloudMe port on the Windows target (127.0.0.1:8888)

plink.exe -ssh -l root -pw securepassword1234 -R 10.10.14.31:1234:127.0.0.1:8888 10.10.14.31

Port Forwarding on Linux

SSH Local Port Forwarding

This is the standard way to port forward. We will tunnel a local port on our host over SSH, and connect it to a port listening on the localhost address of a remote host. This will allow us to interact with the service as if we were sitting at the remote host terminal.

This example tunnels with no ssh commands (-N), just setting up port forwarding (-L), binding to 8080 on the local host on the host side, then binding to 8080 on the localhost of the remote side, then connects to the remote machine with user@ip.

ssh -NL 127.0.0.1:8080:127.0.0.1:8080 bryan@10.10.10.200

You can also just leave off the local side address:

ssh -NL 8080:127.0.0.1:8080 bryan@10.10.10.200

Remote Port Forwarding

Remote SSH port forwarding specified with -R. The below command allows anyone on the remote server to connect to TCP port 8080 on the remote server. The connection is then tunneled back to the client host, and the client then makes a TCP connection to the port 80 on localhost. An example use case would be for giving someone on the outside access to an internal web server, or exposing an internal web application to the internet.

ssh -R 8080:127.0.0.1:80 root@kali

Proxy Chains (Dynamic Port Forwarding)

Now that we have a machine in another subnet we want to set up SSH dynamic port forwarding in order to set our local listening port and have it tunnel traffic to any remote destination through the proxy.

We create a local SOCKS5 proxy (-N -D) on our Kali machine on TCP port 1080 (127.0.0.1:1080), which will tunnel all incoming traffic to any host in the target network, through the compromised Linux machine, which we log into as sean (sean@10.11.1.251)

ssh -N -D 127.0.0.1:1080 -f sean@10.11.1.251

Now we need to configure ProxyChains for this SOCKS4 proxy

vim /etc/proxychains.conf

Now we can run our tools through the SOCKS4 proxy by prepending each command with proxychains.

For example, to run an nmap ping sweep on the IT subnet:

proxychains nmap -sP 10.1.1.1-254

BurpSuite supports it's own built in socks4 proxy. Use this for hitting web pages through the socks proxy. Note that this also works for tools like gobuster that don’t natively support socks4 proxies. Just set up a second local proxy listener in Burp, and set the forward action to send to the IP and port being targeted, then run tools like gobuster against the port set on the second local forward proxy you just set in Burp.

Proxychains through OpenConnect

OpenConnect is the open-source implementation of Cisco's AnyConnect VPN. A standard Proxychains SSH tunnel doesn't work out of the box when using this type of VPN connection. In order to tunnel traffic through a pivot host behind this type of VPN, a few things must be set up.

The below was adapted from: http://lists.infradead.org/pipermail/openconnect-devel/2016-January/003408.html

Clone the ocproxy repo, following the README instructions for building the binary. I had to install libevent2 on a default Kali installation.

apt install libevent-dev -y
cd /opt
git clone https://github.com/cernekee/ocproxy.git
cd ocproxy
./autogen.sh
./configure
make

Use the following to create a new proxychains configuration file.

strict_chain
proxy_dns
remote_dns_subnet 224
tcp_read_time_out 15000
tcp_connect_time_out 8000

[ProxyList]
socks5 127.0.0.1 1090

Use the following to create a new shell script.

#!/usr/bin/env bash

trap "trap - SIGTERM && kill -- -$$" SIGINT SIGTERM EXIT
exec 3< <(/usr/sbin/openconnect -c 'pkcs11:model...' vpn.domain.tld -S --script "/opt/ocproxy/ocproxy -D 1090") # Change this port to match the port used in the new proxychains conf file
grep -m 1 "Connected (script) as" <&3 ; sleep 1s

Run the shell script to open the OpenConnect session, entering the required PIN/Password as requested.

./eroc-proxy-script.sh

In a new terminal, run the SSH Dynamic Port Forward command through this socks5 proxy on OpenConnect.

proxychains -f ./eroc-socks5.conf ssh -N -D 127.0.0.1:1080 userID@hostIP -f

Now, you