hackervegas001
  • Introduction
  • oscp notes include Active Directory 2023
    • Active Directory
      • Enumeration
        • Traditional Approach
        • Currently Logged on Users
        • Powerview
          • Bypass AMSI
          • Domain User Enum
          • Domain Group Enumeration
          • Domain Computer and Server Enum
          • GPO and OU Enum
          • Domain Shares Enum
          • ACL Enum
        • ADRecon
        • BloodHound
      • Authentication
        • Password Hash Dumping
        • Service Account Attack Kerberoasting Attack
          • using mimikatz
          • using Rubeus
          • Using Impacket
        • AS-REP Roasting
        • Password Guessing
        • SAM for windows password
        • password/hash bruteforcing
      • Lateral Movement
        • Pass the hash
        • OverPass the hash
        • Silver Ticket Attack
        • Pass the hash attack
      • Persistence
        • Golden ticket attack
        • Domain Controller synchronization-Dumping all hashes
      • Misc
        • Login method
        • nt authority\system
    • Windows Priv Esc
      • important links
      • Enumeration
      • checking tools
        • winpeas
        • Windows exploit suggester
        • Sysinternals tools
        • Powerup
      • Escalation Path
        • UAC Bypass
        • Binary hijacking / Insecure file permissions
        • Unquoted Service path
        • kernel exploit
        • Potato attack (SEimpersonation)
          • Juicypotato
          • Printspoofer
          • JuicyPotatoNG
        • DLL/EXE Hijacking
        • Service Binary hijacking
        • Exploit msi file
    • Linux Priv Esc
      • Enumeration
      • Escalation path
        • Cron case
        • Editable /etc/passwd
        • kernel exploit
        • CP SUID
        • aria2c SUID
        • systemctl SUID
    • Commands
      • cut
      • awk
      • sed
    • Tools
      • Netcat
      • Powershell
      • Powercat
      • Nmap
      • nmblookup
      • smbclient
      • enum4linux
      • Nikto
      • Certutil (wget for windows)
      • msfvenom payload for powershell
      • iwr like wget for windows
      • ldapsearch
    • Enumeration
      • DNS Enumeration
      • Port Scanning
      • SMB Enumeration
      • NFS Enumeration
      • SMTP Enumeration
      • SNMP Enumeration
    • Web Applicaton Attacks
      • File Inclusion Vuln
      • sqli
      • misc
      • directory bruteforcing
    • files transfers
      • From Windows
      • To Windows
    • Antivirus Evasion
      • Using script in powershell
      • Using Shellter Tool
      • Veil tool
    • client side attacks
      • Exploiting Microsoft Office
        • Object Linking and Embedding
        • Macro
          • Macro Manually
          • Macro using Minitrue tool
      • Code execution via Windows Library Files
    • Port and Services
      • FTP 21
      • Pop3 110
      • smb 139 445
        • smb enumeration
          • SMB Enum
        • symlink traversal
      • SMTP 25 Enumeration
      • ssh 22
      • ms-sql 1433
      • tftp, udp port 69
      • snmp 161 udp
      • VNC PORT 5801 5901
      • UnrealIRCd IRC service
      • mysql 3306
    • Password Attacks
      • Standard Wordlist
      • Bruteforce Wordlist (Crunch)
      • Network Service Attack
        • Medusa tool
        • RDP attack using Crowbar
        • Hydra
      • Password Cracking
    • Port forwarding and Tunneling
      • Chisel (http Tunneling)
      • Port Forwarding with Rinetd tool
      • ssh Tunneling
        • Local Port Forwarding
        • Remote Port Forwarding
        • Dynamic Port Forwarding
      • Plink for windows
      • Netsh for windows
      • SShuttle
    • Misc
      • Port Scanning through script
      • Tty full interactive shell
      • rdp error
      • powershell ps1 reverse shell
      • updating wordpress cred via mysql
      • wordpress
        • updating wordpress cred via mysql
      • reverse shell via ssh
    • Powershell Empire
      • Listner, Stager and agent
      • Poweshell modules
        • selection
        • Credentials and privesc
        • lateral movement
  • 🖥️Enumeration
    • 🙂:)
      • Enumeration :)
        • FTP
          • Anonymous login
            • Default FTP Client
            • Web Browser
            • Filezilla
          • Insecure ACL (RW)
          • Dictionary Attack
        • SMB
          • SMB Null/Guest Session
            • smbmap
            • smbclient
            • impacket-smbclient
            • nmap
          • Dictionary Based Attack
            • crackmapexec
            • hydra
        • SSH
        • WinRM
        • RDP
        • SMTP
        • MYsql
        • NFS
        • SNMP
    • Exploitation
      • Windows Exploitation
      • Linux Exploitation
    • Buffer Overflow
    • Active Directory
      • Active Directory All Tools And Scripts
      • Active Directory Post Enumeration
      • Active Directory Post Exploitation
    • 🏁Writeups
      • cyberSecLabs
      • Hackthebox
        • Tjnull list
          • lame
          • brainfuck
      • Pg Play | Vulnhub
      • Pg practice
      • TryHackMe
      • To Do
Powered by GitBook
On this page
  1. oscp notes include Active Directory 2023
  2. Port forwarding and Tunneling
  3. ssh Tunneling

Remote Port Forwarding

PreviousLocal Port ForwardingNextDynamic Port Forwarding

Last updated 1 year ago

Remote Port Forwading

In case , we have shell to 172.65.0.5 but inbound ssh service is prohibited than we can tunnel by outbound ssh on attacker machine(172.80.0.1) to any vulnerable service on target like 192.162.1.2 on port 8080

  • Enable ssh on attacker machine systemctl start ssh

  • On compromised machine, here R is for remote ssh -R <attacker-local-port>:<target-ip>:<target-port> <user>@<attacker-ip> -fN ssh -R 8000:192.162.1.2:8080 -fN

  • To check if tunnelling is successful. On attacker machine ss -antp | grep "8080” sudo nmap -sS -sV 127.0.0.1 -p 8080

user@172.80.0.1