Star

Port forwarding

Socat

# Run socat on the TARGET_1 machine
socat -ddd TCP-LISTEN:<LPORT>,fork TCP:<TARGET_2>:<RPORT>   # Verbose
socat TCP4-LISTEN:<LPORT>,fork TCP4:<TARGET_2>:<RPORT> &    # Run socat in the background

As an attacker, we can connect to <TARGET_1>:<LPORT> to forward traffic to <TARGET_2>:<RPORT>.

Socat is configured on TARGET_1 to listen on TCP port LPORT via its WAN interface. Incoming connections to that port were forwarded to TCP port RPORT on TARGET_2. This allowed our attacker machine to access a service on TARGET_2 by routing traffic through TARGET_1.

The key detail here is that both listening and forwarding were handled locally on TARGET_1.

SSH

# Local port forwarding
ssh -N -L $LOCAL_ADDRESS:$LOCAL_PORT:$REMOTE_ADDRESS:$REMOTE_PORT user@target

This requires to have an SSH server running on the target machine and a valid user credentials.


Metasploit (meterpreter)

Metasploit (meterpreter) - Autoroute: Anytime we want to contact a machine within one of the networks specified, we will go through meterpreter session and use that to connect to the targets.

# Find subnet (the 2nd target host may be in other network)
ipconfig                     # IP: 19.9.29.148. Netmask: 255.255.240.0

# Add routes
run autoroute -s <subnet>    # E.g. run autoroute -s 10.10.0.29.0/20

# Displays active routing table
run autoroute -p

# Now you can perform a scan. auxiliary/scanner/portscan/tcp 

Note

  • Scanning with metasploit is limited (we can’t discover software version etc…) so it’s better to use nmap. To do that we need to perform port forwarding.
  • Since target_sys_2 does not have a route back to attacker_sys, when you user an exploit, use bind_shell payload. E.g. windows/meterpreter/bind_tcp.

Port forwarding (meterpreter/metasploit)

# Forward remote port to local port. Here, we want to scan the port 80 of the target 2
portfwd add -l 1234 -p 80 -r <target_sys_2_ip>

portfwd list
nmap -sV -sC -p 1234 localhost