💎
kashz-jewels
  • kashz jewels
  • about kashz
  • oscp exam review
  • pnpt exam review
  • certification exam
  • c2 frameworks
  • kashz-kali
  • OS-LINUX
    • basic
    • linux-enumeration
      • enumeration auto
      • enumeration manual
    • linux-privilege-escalation
      • socat shells
      • sudo su styles
      • dirtyc0w
  • OS-WINDOWS
    • basic
    • windows-enumeration
      • enumeration auto
      • enumeration manual
      • enumeration tools
    • windows-privilege-escalation
      • privesc tools
      • steal NTLM creds
      • socat shells
      • beef browser exploitation
    • windows-post-exploitation
      • dump SAM SYSTEM
      • RDP tools
    • windows-bypass-uac
      • fodhelper
    • windows meterpreter
  • SHELLCODES
    • shells
    • windows shells
  • ACTIVE-DIRECTORY
    • active directory 101
    • kerberos 101
    • asrep roasting
    • kerberoasting
    • powerview.ps1
    • ad module
    • bloodhound
    • golden silver passing ticket
    • group policy management
    • dcsync
    • kerberos backdoor
    • mitm6
    • smb relay ntlmrelayx
    • responder
    • zero logon exploit
    • untested tools
  • OSINT
    • osint
  • BUFFER OVERFLOW GUIDE
    • exploit.py
    • fuzzer.py
    • methodology
  • HASH-n-CRACK
    • crackmapexec
    • hash identifier
    • hashcat
    • hydra
    • john the ripper
    • medusa
    • ncrack
    • rsa
  • TRICKS
    • .mdb file
    • 403 forbidden waf bypass
    • archive, unarchive
    • asp.net server
    • awscli
    • bash scripting
    • bypass bash restrictions
    • curl
    • ffuf wfuzz feroxbuster gobuster
    • file modification
    • git commands
    • git repo analysis
    • http request smuggling
    • json web token (jwt)
    • kali exploit compilation
    • kali multi-network adapters
    • local discovery
    • login bypass
    • magic bytes
    • nmap
    • office document analysis and exploitation
    • openvpn
    • pgp gpg cheatsheet
    • php wrappers, LFI
    • port forwarding
    • port knocking
    • post upload file
    • share files
    • ssh tunnel
    • subnet scan
    • ssh
    • wget
    • wifi
    • windows AppLocker bypass
    • wordlists
    • xss steal cookie
  • PROTOCOLS
    • dns :53
    • epmd :4369
    • ftp :21
    • ident :113
    • imap :143 :993
    • ipsec ike-vpn :500/udp
    • irc
    • ldap :389 :636 :3268 :3269
    • rpc
    • smb :135 :139 :445
    • smtp :25
    • subversion svn :3690
    • tftp :69
  • ATTACKS
    • .hta exploit
    • network scripts
    • print nightmare
    • ssrf
    • xml external entity XXE
  • CHEATSHEET
    • docker
    • drupal
    • gitlab rails
    • impacket guide
    • itemir/apache2fa
    • jenkins
    • jinja2 flask template injection
    • mimikatz
    • powershell
    • redis
    • sqli oracle odat
    • sqli basic
    • sqli influxql
    • sqli mongo
    • sqli ms-sql
    • sqli mysql
    • sqli oracle-sql
    • sqli postgres-sql
    • telnet
    • webdav
    • wordpress
  • SERVICES
    • achat
    • adminLTE
    • adminer.php
    • comment system
    • amanda
    • apache
    • apache exploits
    • apphp microblog
    • arj
    • azure cloud
    • b2evolution
    • bigtree cms
    • bludit cms
    • booked scheduler
    • cacti
    • centreon
    • chef knife
    • cloudMe
    • cms made simple
    • cmsmini
    • coldfusion
    • corehttp
    • cs cart
    • cse online bookstore
    • cuppa cms
    • cutenews cms
    • distccd (DistCC Daemon)
    • docker
    • dolphin2 cms
    • dosbox
    • drupal
    • elastic freepbx
    • elasticsearch kibana
    • epmd
    • exim
    • fail2ban
    • ftp exploits
    • fudforum
    • gitlab community edition
    • gunicorn
    • gym management system
    • h2 database
    • hp power manager
    • iis
    • james remote admin tool
    • jenkins exploits
    • katris
    • koken cms
    • ladon framework
    • laravel
    • lxd
    • magento
    • manage engine applications manager
    • manage engine service desk plus
    • mantis bugtracker
    • monstra cms
    • msfvenom apk
    • mysql exploit
    • nagios xi
    • network video monitoring system
    • nextcloud
    • nginx
    • nodebb
    • nostromo
    • nsclient
    • nsupdate
    • openNetAdmin ona
    • opendocman
    • openemr
    • opensmtpd
    • osclass
    • orient-db-server
    • otrs open ticket request system
    • ovidentia
    • pfsense
    • php file vault
    • php powerbrowse
    • php
    • phpliteadmin
    • phpmyadmin
    • phreebooks bizuno
    • plantronics hub
    • postfix smtp
    • postgres
    • python2 python3
    • quick cms
    • rabbitmq
    • raspAP
    • rconfig management
    • redis exploits
    • rejetto httpfileserver
    • remote-mouse
    • responsive filemanager
    • saltstack
    • sendmail
    • simple php photo gallery
    • small crm
    • smartermail
    • smartstore.net
    • smb exploits
    • sonatype nexus
    • splunk universal forwarder
    • ssh exploits
    • strapi cms
    • subrion cms
    • sudo
    • teamviewer
    • tmux
    • tomcat
    • umbraco
    • unifi video
    • unreal irc
    • usbcreator
    • vtiger crm
    • webcalendar
    • webmin :10000
    • werkzeug httpd
    • windows UsoSvc service
    • windows exploits
    • windows iot core
    • windows token exploits
    • wise care 365, wisebootassistant
    • wordpress plugin exploits
    • xampp
    • yaml
    • yum
    • zabbix
    • zenphoto cms
    • zookeeper exhibitor
Powered by GitBook
On this page
  • meterpreter port forwarding:
  • ssh port forwarding:
  • Forward connections (outgoing)
  • Reverse connections (incoming)
  • chisel port forwarding
  • Remote Port Forward
  • Local Port Forward
  • plink.exe
  • socat port forwarding
  • Socket Check:

Was this helpful?

  1. TRICKS

port forwarding

meterpreter port forwarding:

portfwd list
portfwd [add | delete] -l LOCAL_PORT -p TARGET_PORT -r TARGET_IP
portfwd flush # to remove all port-forwarding

ssh port forwarding:

  • -f: background shell, to give shell back

  • -N: only setup connect, no commands are to be run

Forward connections (outgoing)

# for connecting to remote port via localhost (-L) (outgoing)
ssh -L KALI-IP:KALI-PORT:localhost:TARGET-PORT TARGET-USER@TARGET-IP

Reverse connections (incoming)

authorized_keys file

from="IP",command="echo 'This account can only be used for Port Forwarding'",no-agent-forwarding,no-X11-forwarding,no-pty <SSH-PUBLIC-key>

Command

# for allowing a connecting to your port from outside (incoming)
ssh -fN -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -R KALI-IP:KALI-PORT:localhost:TARGET-PORT -i <id_rsa> KALI-USER@KALI-IP

# -N: not running commands
# -f: go to background
# UserKnownHostsFile=/dev/null & StrictHostKeyChecking=no will not ask kali password; not safe to enter password on target.

chisel port forwarding

Remote Port Forward

# server on kali
chisel server -p 8000 --reverse

# client on target
chisel client KALI_IP:8000 R:KALI_LISTENING_PORT:TARGET_IP:TARGET_PORT_FORWARD [-v]
ex. chisel.exe client 10.10.16.161:9000 R:8989:127.0.0.1:8888
# chisel server is 10.10.16.161:9000
# any requests to kali:8989 ==> target:8888

Local Port Forward

# server on target
chisel server -p 8000

# client on kali
chisel client TARGET_IP:8000 KALI_PORT:TARGET_IP:TARGET_PORT [-v]

plink.exe

# /usr/share/windows-binaries/plink.exe
plink.exe kashz@IP -R <remote-port>:localhost:<local-port>

socat port forwarding

# listen on PORT1,bind to IP1 and route to IP2:PORT2
socat tcp-l:PORT1,fork,reuseaddr,bind=IP1 tcp:IP2:PORT2

Socket Check:

ss FLAG
flag
description

-t

TCP sockets

-u

UDP sockets

-l

Listening sockets only

-p

Process using the socket

-n

No DNS resolution

Previousphp wrappers, LFINextport knocking

Last updated 3 years ago

Was this helpful?

0xdf's guide to using chisel