Port forwarding is a technique that allows us to redirect a communication request from one port to another.
ssh -L 1234:localhost:3306 ubuntu@10.129.202.64
The -L command tells the SSH client to request the SSH server to forward all the data we send via the port 1234 to localhost:3306 on the Ubuntu server. By doing this, we should be able to access the MySQL service locally on port 1234.
netstat -antp | grep 1234nmap -v -sV -p1234 localhostSimilarly, if we want to forward multiple ports from the Ubuntu server to your localhost, you can do so by including the local port:server:port argument to your ssh command.
ssh -L 1234:localhost:3306 -L 8080:localhost:80 ubuntu@10.129.202.64
Now, if you type ifconfig on the Ubuntu host, you will find that this server has multiple NICs:
ens192)ens224)lo).We can scan the network 172.16.5.0/23 for services, we need to route the scan through an intermediate host that has access to the network, since our attack host doesn't have direct routes to it.
To do this, we will have to perform dynamic port forwarding and pivot our network packets via the Ubuntu server. We can do this by starting a SOCKS listener on our local host (personal attack host or Pwnbox) and then configure SSH to forward that traffic via SSH to the network (172.16.5.0/23) after connecting to the target host. This is called SSH tunneling over SOCKS proxy.
SOCKS stands for Socket Secure, a protocol that helps communicate with servers where you have firewall restrictions in place. Unlike most cases where you would initiate a connection to connect to a service, in the case of SOCKS, the initial traffic is generated by a SOCKS client, which connects to the SOCKS server controlled by the user who wants to access a service on the client-side. Once the connection is established, network traffic can be routed through the SOCKS server on behalf of the connected client.