# port forwarding

## meterpreter port forwarding:

```bash
portfwd list
portfwd [add | delete] -l LOCAL_PORT -p TARGET_PORT -r TARGET_IP
portfwd flush # to remove all port-forwarding
```

## ssh port forwarding:

* `-f`: background shell, to give shell back
* `-N`: only setup connect, no commands are to be run

### Forward connections (outgoing)

```bash
# for connecting to remote port via localhost (-L) (outgoing)
ssh -L KALI-IP:KALI-PORT:localhost:TARGET-PORT TARGET-USER@TARGET-IP
```

### Reverse connections (incoming)

#### authorized\_keys file

```bash
from="IP",command="echo 'This account can only be used for Port Forwarding'",no-agent-forwarding,no-X11-forwarding,no-pty <SSH-PUBLIC-key>
```

#### Command

```bash
# for allowing a connecting to your port from outside (incoming)
ssh -fN -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -R KALI-IP:KALI-PORT:localhost:TARGET-PORT -i <id_rsa> KALI-USER@KALI-IP

# -N: not running commands
# -f: go to background
# UserKnownHostsFile=/dev/null & StrictHostKeyChecking=no will not ask kali password; not safe to enter password on target.
```

## chisel port forwarding

### Remote Port Forward

```bash
# server on kali
chisel server -p 8000 --reverse

# client on target
chisel client KALI_IP:8000 R:KALI_LISTENING_PORT:TARGET_IP:TARGET_PORT_FORWARD [-v]
ex. chisel.exe client 10.10.16.161:9000 R:8989:127.0.0.1:8888
# chisel server is 10.10.16.161:9000
# any requests to kali:8989 ==> target:8888
```

### Local Port Forward

```bash
# server on target
chisel server -p 8000

# client on kali
chisel client TARGET_IP:8000 KALI_PORT:TARGET_IP:TARGET_PORT [-v]
```

* [0xdf's guide to using chisel](https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html)

## plink.exe

```bash
# /usr/share/windows-binaries/plink.exe
plink.exe kashz@IP -R <remote-port>:localhost:<local-port>
```

## socat port forwarding

```bash
# listen on PORT1,bind to IP1 and route to IP2:PORT2
socat tcp-l:PORT1,fork,reuseaddr,bind=IP1 tcp:IP2:PORT2
```

## Socket Check:

```bash
ss FLAG
```

| flag | description              |
| ---- | ------------------------ |
| -t   | TCP sockets              |
| -u   | UDP sockets              |
| -l   | Listening sockets only   |
| -p   | Process using the socket |
| -n   | No DNS resolution        |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kashz.gitbook.io/kashz-jewels/tricks/port-forwarding.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.