Port Forwarding on Linux

When port forwarding, we configure a host to listen on one port and relay all packets received on that port to another destination.

Simple Port Forwarding Scenario

During an assessment, we find a Linux web server running a version of Confluence vulnerable to CVE-2022-26134: a pre-authentication remote code execution issue. After exploiting this vulnerability and gaining a reverse shell on the server, we find that the server has two network interfaces: one attached to the same network our Kali machine is also on (which allowed us to route to it directly), and another on an internal subnet. In the Confluence configuration file, we also find credentials and the IP address and port for a PostgreSQL database instance on a server in that internal subnet. We want to use these credentials to gain access to the database and enumerate further.

On the CONFLUENCE01 machine, here is the network interface:

confluence@confluence01:/home$ ip addr
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
4: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:86:21:8b brd ff:ff:ff:ff:ff:ff
    inet 192.168.207.63/24 brd 192.168.207.255 scope global ens192
       valid_lft forever preferred_lft forever
5: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:86:63:35 brd ff:ff:ff:ff:ff:ff
    inet 10.4.207.63/24 brd 10.4.207.255 scope global ens224
       valid_lft forever preferred_lft forever

This output shows us that CONFLUENCE 01 has two network interfaces: ens192 and ens224. ens192 has the IP address 192.168.207.63 and ens224 has IP address 10.4.207.63.

Here are the routes:

confluence@confluence01:/home$ ip route
ip route
default via 192.168.207.254 dev ens192 proto static 
10.4.207.0/24 dev ens224 proto kernel scope link src 10.4.207.63 
192.168.207.0/24 dev ens192 proto kernel scope link src 192.168.207.63

This shows that we should be able to access hosts in the 192.168.207.0/24 subnet through the ens192 interface, as well as hosts in the 10.4.207.0/24 subnet through the ens224 interface.

After further enumeration on the machine we find some cleartext database credentials and the internal ip address of the database server. the CONFLUENCE01 machine does not have a PostgreSQL client installed on it and we are unable to install it as a low-privilege user.

On our attack machine, we have the PostgreSQL client psql, but we can't connect directly to the PGDATABASE01 machine from outside of the DMZ. In this scenario there is no firewall in place between CONFLUENCE01 and our attack machine, so we can bind ports on the WAN interface of CONFLUENCE01 and connecting to them from our attack machine.

We can create a port forward on CONFLUENCE01 that listens on a port on the WAN interface, then forward all packets received on this port to the PGDATABASE01 on the internal subnet using Socat.

Port Forwarding with Socat

Using the prior example,we want our machine straddling the DMZ (CONFLUENCE01) to listen on a port on the WAN interface and forward all packets received on this port to the machine on the internet network (PGDATABASE01).

We want to open TCP port 2345 on the WAN interface of CONFLUENCE01, then connect to that port from our kali machine. We want all the packets that we send to this port to be forwarded by CONFLUENCE01 to TCP port 5432 on PGDATABASE01. Once we set up our port forward, connecting to TCP port 2345 on CONFLUENCE01 will be exactly like connecting directory to TCP port 5432 on PGDATABASE01.

In most scenarios, socat does not tend to be installed by default on *NIX systems. If not already installed, it's possible to download and run a statically-linked binary version instead.

On CONFLUENCE01, we'll start a verbose (-ddd) Socat process. It will listen on TCP port 2345 (TCP-LISTEN:2345), fork into a new subprocess when it receives a connection (fork) instead of dying after a single connection, then forward all traffic it receives to TCP port 5432 on PGDATABASE01.

(Ports 0-1024 are privileged ports which can require elevated privileges to use it)

confluence@confluence01:/opt/atlassian/confluence/bin$ socat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432
<ocat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432   
2022/08/18 10:12:01 socat[46589] I socat by Gerhard Rieger and contributors - see www.dest-unreach.org
2022/08/18 10:12:01 socat[46589] I This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)
2022/08/18 10:12:01 socat[46589] I This product includes software written by Tim Hudson (tjh@cryptsoft.com)
2022/08/18 10:12:01 socat[46589] I setting option "fork" to 1
2022/08/18 10:12:01 socat[46589] I socket(2, 1, 6) -> 5
2022/08/18 10:12:01 socat[46589] I starting accept loop
2022/08/18 10:12:01 socat[46589] N listening on AF=2 0.0.0.0:2345

the network is now set up like this:

Other Software for Port Forwarding

rinetd

another option that runs as a daemon. This makes it a better solution for longer-term port forwarding configurations, but is slightly unwieldy for temporary port forwarding solutions

Netcat and a FIFO named pipe file

combining Netcat and a FIFO named pip file can create port forwarding

iptables

if we have local root privileges, we can use iptables to create port forwards. The specific iptables port forwarding setup for a given host will depend on the configuration already in place. To be able to forward packets in Linux also requires enabling forwarding on the interface we want to forward on by writing "1" to /proc/sys/net/ipv4/conf/[interface]/forwarding