Penetration testing

Tunneling and port forwarding tools used during red teaming assessments

Security experts traverse network boundaries to access internal infrastructures and sensitive information even over the most protected and secure environments. With tunneling and port-forwarding methods, a pivot machine inside the internal network can be used as a bounce machine to connect with other unrouted networks, critical devices, active directory assets, including the AD controller, and all the perimeter.

Most Popular Tools

Sshuttle

Sshuttle is a transparent proxy server over ssh that works as a simple VPN. It doesn’t require admin access ad forwards the traffic over SSH protocol. This tool also supports DNS tunneling when TCP communication is blocked by default.

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Download Now

To transfer traffic to 10.10.10.0/24 via the pivot, we can use the following command:

sshuttle -r ptavares@192.168.2.105 10.10.10.0/24

After that, sshuttle will create the iptables rules, and the communication can be done by using a command like this:

curl --head http://10.10.10.2

URL: https://github.com/sshuttle/sshuttle

SSH Tunneling

Suppose you find a way to communicate with the SSH server installed on the target server, connect with the -D flag. With this parameter in place, the tool will spawn a socks server on the client side.

ssh ptavares@192.168.2.105 -D 1080

On the other hand, specifying a single port to forward is also possible using -L fag.

ssh ptavares@192.168.2.105 -L 445:192.168.2.105:445

nmap -p 445 127.0.0.1

More details can be found here.

Rpivot

Rpivot is a SOCKS proxy based on a pivot tool that works like an SSH dynamic proxy (-D option). However, it works in reverse order.

Server - auditor’s machine

python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0

Client — target machine

python client.py --server-ip <ip> --server-port 9443

The server will create a SOCKS proxy over the port 1080 that will forward all the traffic through the client — the target machine.

This kind of approach can also be used in active directory networks with the following syntax:

python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \

--ntlm-proxy-port 8080 --domain CORP --username ptavares--password !infosec.institute

URL: https://github.com/klsecservices/rpivot

Meterpreter - autoroute

Port forwarding and pivoting can also be done using the meterpreter framework and the powerful tool: proxychains.

To automatically route, use the following:

run autoroute -s 192.168.5.1/24

run autoroute -p

use auxiliary/server/socks4a

set SRVPORT 8080

run

proxychains curl http://192.168.5.40

More information about this scenario is here.

URL: https://github.com/rapid7/meterpreter

Chisel

Chisel is a tool that encapsulates a TCP session in an HTTP tunnel while securing it via SSH. In detail, the communication is full-encrypted via SSH, and it supports mutual authentication, automatic reconnection and has its private SOCKS 5 proxy server.

Local port forwarding via Chisel

Pivot machine:

$ chisel server -p 8080 --host 192.168.2.105 -v

Auditor’s machine:

$ chisel client -v http://192.168.2.105:8080 127.0.0.1:33333:10.42.42.2:80

$ curl --head http://127.0.0.1:33333

Reverse remote port forwarding

Auditor’s machine:

$ chisel server -p 8888 --host 192.168.2.149 --reverse -v

Pivot machine:

$ chisel client -v http://192.168.2.149:8888 R:127.0.0.1:44444:10.42.42.2:80

$ curl --head http://127.0.0.1:44444

A full scenario using Chisel can be found here.

URL: https://github.com/jpillora/chisel

Web-proxies / reGeorg and Tunna

ReGeorg and Tunna are very similar and work with a web shell to create a local SOCKS proxy. This is an excellent way in the most challenging scenarios, for instance, when all the TCP communication, bind services, and outgoing traffic is blocked.

The steps to create the scenario are the following:

Upload the tunnel file (aspx|ashx|jsp|php) to the target webserver (by using how the server was compromised or accessed).
Use: reGeorgSocksProxy.py

$ python reGeorgSocksProxy.py -p 8080 -u http://server:8080/tunnel.jsp

re-Georg: https://github.com/sensepost/reGeorg

Tunna: https://github.com/SECFORCE/Tunna

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Download Now

A list of real scenario examples and the effectiveness of various port forwarding and tunneling methods can also be accessed in this article.

Sources:

A Red Teamer's guide to pivoting, artkond
SSH pivoting, ired.team
Pivoting, GitBook - Segurança Informática

Posted: January 17, 2022

Pedro Tavares

View Profile

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.