Practical Dynamic Port Forwarding
Imagine we have gained a foothold on our target network. We set up a SOCKS proxy/SSH tunnel, as we did in this post. Now, we want to perform further enumeration. How do we use our enumeration tools on our host machine through our SSH tunnel?
SSH Tunnel
In this example, we have access to a machine: 10.10.10.10,
and we want to gather more information about the target network. We have discovered a web server in the target network on machine 172.0.0.1
; this machine is not accessible from our host but is accessible to our Jump Box(10.10.10.10
). We can create an SSH tunnel/SOCKS proxy to connect to the target machine(172.0.0.1)
via our Jump Box.
Once we set up our SOCKS proxy, we can configure our browser settings to use the proxy, allowing us to view the website in the browser of our host machine.
We create a SOCKS proxy on port 7000 as follows:
ssh -i key.priv user@10.10.10.10 -D 7000
In Firefox, we must change our connection settings to use the SOCKS proxy by setting the SOCKS Host to localhost and port to 7000.
Burp Suite:
If we want to take a closer look at our web request by using a proxy like Burp Suite we can configure our SOCKS proxy settings in Burp.
To configure the SOCKS proxy navigate to the User Options tab on the top menu bar:
Once you click on this tab, scroll to the bottom of the page, where you will see options to configure a SOCKS proxy. We want Burp to use our proxy on localhost(127.0.0.1
) port 7000.
Now Burp will use the SOCKS connection to intercept our web requests, so we will need to change our browser settings once more. Burp, by default, runs on port 8080. We can use FoxyProxy to set an HTTP proxy on localhost port 8080. This setting will point our browser to Burp.
The diagram below demonstrates the traffic flow. We have a SOCKS proxy set on port 7000 that forwards our requests through the Jump Box. The response from the Jump Box is received by our host on port 7000 and is intercepted by Burp, which forwards the response to our browser on port 8080.
SQLMap:
While investigating the web application discover that it is vulnerable to SQLi(SQL injection), and we want to run SQLMap against the webserver. SQLMap is a powerful tool used to detect and exploit SQL injection. We can run our sqlmap via our port forward as follow:
sqlmap —proxy=socks://127.0.0.1:7000 -u http://172.0.0.1/targetpage
Even better, if we have been using Burp, we can save a valid request from Burp to a file and pass this as an argument to sqlmap using the -r
flag. This allows us to easily use the valid credentials or session details in our SQLmap requests.
sqlmap —proxy=socks5://localhost:7000 -r <request_file>
Downloading Request from Burp
To download and save a request to a file in Burp, click on the request you wish to save, then click the actions tab or right-click to trigger the pop-up menu.