ssh

SSH port forwarding allows you to forward a specified network port over an SSH connection to another port. This feature is often used to protect data transmission through SSH, access internal network resources, and more.

There are three main types of SSH port forwarding:

1. Local Port Forwarding - Forwards a port from the local machine to a specified port on the SSH server.
2. Remote Port Forwarding - Forwards a port from the SSH server to a specified port on the local machine or another machine.
3. Dynamic Port Forwarding - Typically used to set up a SOCKS proxy.

If you want to enable port forwarding without opening an interactive shell, you can use the -N flag. This flag tells the SSH client not to execute a remote command.

Local Port Forwarding

Local port forwarding allows you to forward a local port to a specified port on a remote server. For example, if you want to forward your local port 8080 to port 80 on a remote server via SSH, you could do this:

ssh -L 8080:localhost:80 -N -f user@remotehost

Here:

• -L 8080:localhost:80 indicates that local port 8080 is forwarded to port 80 on the SSH server.
• -N indicates not to execute remote commands (i.e., not to open a remote shell).
• -f indicates to run the SSH client in the background after executing the command.

Remote Port Forwarding

Remote port forwarding is where a port on the SSH server is forwarded to a specified port on the local machine or another server. If you want to forward port 9090 on a remote server to port 9090 on your local machine, you can do this:

ssh -R 9090:localhost:9090 -N -f user@remotehost

Here:

• -R 9090:localhost:9090 indicates that the remote server's port 9090 is forwarded to the local port 9090.
• The other parameters are the same as local port forwarding.

Dynamic Port Forwarding

Dynamic port forwarding creates a SOCKS proxy server that you can use to proxy TCP connections. To start a SOCKS proxy server listening on a local port, the command is as follows:

ssh -D 1080 -N -f user@remotehost
# /etc/proxychains4.conf: socks4 127.0.0.1 1080
proxychains evil-winrm -i <ip> -u <username> -p <password>

Here:

• -D 1080 indicates the creation of a SOCKS server on the local port 1080.
• The other parameters are the same as above.

Note: To use SSH port forwarding, you need to ensure that port forwarding is allowed in the SSH server's configuration file (usually /etc/ssh/sshd_config). For remote port forwarding, it is often necessary to set GatewayPorts to yes.

ssh command line

$ ~C
ssh> -L 8080:localhost:80

To use this command, you usually need to press the Enter key first and then type ~C, making sure that ~ is the first character. This opens a small SSH command-line interface. In this interface, you can enter commands such as:

• -L [bind_address:]port:host:hostport: Add local port forwarding.
• -R [bind_address:]port:host:hostport: Add remote port forwarding.
• -D [bind_address:]port: Add dynamic port forwarding (SOCKS proxy).
• -KL [bind_address:]port: Cancel local port forwarding.
• -KR [bind_address:]port: Cancel remote port forwarding.
• -KD [bind_address:]port: Cancel dynamic port forwarding.
  After the ssh> prompt, if you enter something like -L 8080:localhost:80, it will forward port 8080 on your local machine to port 80 on the SSH server.

If, when you try to open the command-line interface within an SSH session (by typing ~C), you see the message "commandline disable," it usually means that the SSH client has been configured to disable this feature. This configuration may be for security reasons or to prevent users from modifying the session's forwarding settings.

To resolve this issue, you need to investigate and change the SSH client's configuration. Here are some possible methods:

Check the SSH client configuration files (~/.ssh/config or /etc/ssh/ssh_config): Look for configuration directives that may affect this behavior, such as NoEscape or EscapeChar, and adjust them accordingly. Generally, setting EscapeChar to none or to a non-default value might cause this issue.

chisel

chisel server side

First, you need to set up a Chisel server on a machine that is accessible from both the client (the machine from which you want to access the remote service) and the target (the machine hosting the service you want to access).

To start the server, the command is as follows:

./chisel server --port 8080 --reverse

This command starts a Chisel server listening on port 8080 and allows clients to establish reverse tunnels.

chisel client side

On the client machine, download the Chisel binary just as you did for the server.

Assuming you want to access a remote service on target-machine which is listening on port target-port and you want to access it on your local machine as local-port, the command is as follows:

./chisel client server-address:server-port R:local-port:target-machine:target-port

meterpreter

The portfwd function allows attackers to forward network traffic within a Meterpreter session, enabling access to services on the target network that are normally inaccessible. This feature is particularly useful during penetration tests and system security assessments when attackers need to access restricted or internal services on a network.

port forward adding allows traffic to be forwarded from the attacker's machine (or a pivot machine) to systems on the target network. This way, the attacker can access services within the target network from their own machine.

portfwd add -l [local port] -p [target port] -r [target address]

The add command creates a port forward that listens on a local port -l on the system where Meterpreter is running and forwards all traffic to the target address -r on the target port -p.