Port Forwarding

Overview

Port forwarding redirects network traffic from one port to another, allowing access to internal services through a compromised host. Unlike SOCKS proxies which handle arbitrary traffic, port forwarding maps a specific local port to a specific remote port. Built-in tools like socat, netcat, and Windows netsh can establish port forwards without transferring additional software.

ATT&CK Mapping

• Tactic: TA0011 - Command and Control
• Technique: T1090 - Proxy

Prerequisites

• Shell access on the pivot host
• Network route from pivot host to internal target

Techniques

socat

# socat
# https://github.com/3ndG4me/socat

# Forward local port 8080 to internal target port 80
socat TCP-LISTEN:8080,fork TCP:<internal_target>:80

# Forward with bind to all interfaces
socat TCP-LISTEN:8080,fork,reuseaddr TCP:<internal_target>:80

# UDP forwarding
socat UDP-LISTEN:53,fork UDP:<internal_dns>:53

# Background
socat TCP-LISTEN:8080,fork TCP:<internal_target>:80 &

netcat Relay

# Simple relay using named pipes
mkfifo /tmp/backpipe
nc -lvp 8080 < /tmp/backpipe | nc <internal_target> 80 > /tmp/backpipe

Windows netsh

:: Add port forwarding rule (requires admin)
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=<internal_target>

:: List all port forwarding rules
netsh interface portproxy show all

:: Remove rule
netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0

:: May need to allow through firewall
netsh advfirewall firewall add rule name="Port Forward 8080" dir=in action=allow protocol=tcp localport=8080

iptables (Linux)

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Forward port 8080 to internal target
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination <internal_target>:80
iptables -t nat -A POSTROUTING -j MASQUERADE

# Remove rules
iptables -t nat -F

Meterpreter Port Forwarding

# From a Meterpreter session
# Metasploit Framework
# https://github.com/rapid7/metasploit-framework

# Forward local port to remote target through session
portfwd add -l 8080 -p 80 -r <internal_target>

# List forwards
portfwd list

# Remove forward
portfwd delete -l 8080 -p 80 -r <internal_target>

# Reverse port forward (target connects to attacker)
portfwd add -R -l 4444 -p 4444 -L <attacker_ip>

Detection Methods

Network-Based Detection

• Unusual port mappings (traffic arriving on one port, forwarded to a different host/port)
• Traffic originating from a compromised host to internal targets it doesn't normally communicate with

Host-Based Detection

• netsh interface portproxy rules on Windows systems
• socat or nc processes with forwarding arguments
• iptables NAT rules redirecting traffic
• Listening ports that don't correspond to installed services

Mitigation Strategies

• Restrict port forwarding capabilities — limit netsh access, monitor iptables changes
• Network segmentation — restrict which systems can communicate with internal targets
• Monitor for unexpected listeners — alert on new listening ports on compromised systems

References

Official Documentation

• socat

MITRE ATT&CK

• T1090 - Proxy