Reverse Port Forwards
Reverse Port Forwarding allows a machine to redirect inbound traffic on a specific port to another IP and port. A useful implementation of this allows machines to bypass firewall and other network segmentation restrictions, to talk to nodes they wouldn't normally be able to. For example, we can use the console of Domain Controller 2 to demonstrate that it does not have any outbound access to our team server.
\
We know of course that Workstation 2 does - so we can create a reverse port forward to relay traffic between Domain Controller 2 and our team server.
\
This will bind port 8080 on Workstation 2.
\
Any traffic hitting this port will be tunnelled back to the team server over the C2 channel. The team server will then relay the traffic to the forward host/port, then send the response back over Beacon. Now, we can download the file via this port forward.
\
OPSEC
When the Windows firewall is enabled, it will prompt the user with an alert when an application attempts to listen on a port that is not explicitly allowed. Allowing access requires local admin privileges and clicking cancel will create an explicit block rule.
\
You must therefore create an allow rule before running a reverse port forward using either netsh or New-NetFirewallRule, as adding and removing rules does not create a visible alert.
\
Don't be lazy by disabling the firewall entirely.
\
You can delete a firewall rule later by its DisplayName.
Last updated