Enable to work with the client for port forwarding

Question

Enable to work with the client for port forwarding

Opened this issue 5 years ago · 1 comments

If I try to establish a local port forwarding

If i run one of those three command on the compromised machine

$ pivotsuite -S -F --server-option=PF --server-ip=192.168.1.80 --server-port=8080
$ pivotsuite -S -F --server-option=PF --forward-ip=10.42.42.2 --forward-port=80 --server-ip=192.168.1.80 --server-port=8080
$ pivotsuite -S -F --server-option=PF --remote-ip=10.42.42.2 --remote-port=80 --server-ip=192.168.1.80 --server-port=8080

And the on the attacker machine:

$ pivotsuite -C -O PF -L --local-ip=127.0.0.1 --local-port=6666 --remote-ip=10.42.42.2 --remote-port=80 --server-ip=192.168.1.80 --server-port=8080

It display as if it was working. But when I tried to connect :

$ curl --head http://127.0.0.1:6666
curl: (7) Failed to connect to 127.0.0.1 port 6666: Connection refused

If i check no port is opened on my machine ss -nlp | grep 6666.

I did forwarding/tunneling hundred of times with ssh, sshuttle, regeorg, neo-regeorg, chisel, rpivot, ncat, metasploit, tunna, etc. but can't make a simple local port forwarding with PivotSuite.

Answer 1 · 2019-09-05T11:04:45.000Z

I just figure it out that PivotSuite have a "client" and a "server" but is not working as a client-server software in Forward TCP Tunneling mode, you have to launch only the server.
It works as a client-server only for the reverse mode.
That's very confusing.

So for local port forwarding is just have to launch the server and run curl --head http://192.168.1.80:8080 on the attacker side. But this is exposing the port to all the public network (192.168.X.X/24).
Can you please modify the code to allow the client to connect to the server in this case so traffic would be forwarded to the client that could expose it locally. This would be more secure. This also mean that the remote access could be specified on the client side and not on the server side.

Exactly how it would work with SSH. : you just run the server on the compromised machine and then you choose the forwarding technique on client side.

$ ssh user@ssh_server -L [bind_address:]local_port:destination_host:destination_hostport

$ ssh noraj@192.168.1.80 -L 127.0.0.1:32000:10.42.42.2:80 -N