Sunday, October 15, 2017

SSH Tunneling (III): DYNAMIC port forwarding with PROXYCHAINS


- Layout for this exercise:

1 - Introduction

- Port forwarding via SSH (SSH tunneling) creates a secure connection between a local computer and a remote machine through which services can be relayed. 

- Dynamic port forwarding connections are forwarded via the SSH client, then via the SSH server, and finally to several destination servers

- Dynamic port forwarding turns the SSH client into a SOCKS proxy server

- SOCKS is a protocol for programs to request any Internet connection through a proxy server. 

- The -D 8080 option specifies dynamic port forwarding with 8080 as the SOCKS port.

- One of the most common uses for SOCKS is circumvention, allowing traffic to bypass internet filtering to access content that is otherwise blocked. 

- In our scenario we will use SOCKS to create a dedicated tunnel between Kali and the Windows Server 2008.

- Proxychains allows to interface with the SOCKS tunnel, piping all data that an application would normally just push out to the network through normal means, through proxychains into the SOCKS tunnel up to Windows Server 2008's internal interface.

2 - SSH Dynamic Port Forwarding

- In this scenario we assume that the intermediate Windows Server 2008 (two inferaces: and has been exploited by the attacker Kali Linux (

- As part of the post exploitation step we will use the Windows Server 2008 machine as a proxy to attack the internal LAN (, for instance the Windows 7 ( machine.

- SSH -D (Dynamic) option allows to bind the local port 808:

- Running ssh with -D option against the exploited (so we know some credentials) Windows Server 2008:

- Runnig ipconfig we learn that Windows Server 2008 has got two Ethernet IP addresses, meaning that it is connected to outside trough and to the internal LAN through

3 - Proxychains

- Opening a new Terminal different than the one used for the SSH connection:

- Proxychains allows to perform a port scanning inside the internal LAN To simplify, let's scan just  the port 3389 (RDP-Remote Desktop Protocol) at the first 10 hosts:

- We have discovered that there is an internal host that is running RDP service on port 3389.

- Now, using proxychains again let's run the rdesktop command for the internal host

- The attack is eventually successful:

4 - Checking the ESTABLISHED connections 

- It is interesting to check how each one of the hosts implied "sees" the connections.

- Kali Linux works on the SSH Dynamic SOCKS port 8080, and also it is connected to the port 22 of the Windows 2008 that acts as an SSH server:

- The Windows Server 2008 sees two connections, on the one side the mentioned one with Kali Linux, and on the other side a connection with Windows 7 at port 3389 (RDP):

- Finally, Windows 7 is only aware of its connection with Windows Server 2008, although it is actually Kali (the attacker) who is enjoying the Remote Desktop Connection session: