Pivoting

# SSH local port forwarding
ssh [email protected]_server -L [bind_address:]local_port:destination_host:destination_hostport
ssh [email protected] -L 127.0.0.1:32000:10.42.42.2:80 -N
​
​
# SSH reverse remote port forwarding
ssh [email protected]_server -R [bind_address:]remote_port:destination_host:destination_hostport
ssh [email protected] -R 192.168.2.105:15000:127.0.0.1:9999
​
# SSH dynamic port forwarding
ssh [email protected]_server -D [bind_address:]local_port
ssh [email protected] -D 127.0.0.1:12000 -N
​
# SSHUTTLE
# You can tunnel via ssh all the traffic to a subnetwork through a host.
# Example, forwarding all the traffic going to 10.0.0.1/24
pip install sshuttle
sshuttle -r [email protected] 10.0.0.1/24
​
# MSF
meterpreter > portfwd add -l 80 -r 172.16.0.0 -p 80
​
# Netcat
nc -l -p < port to listen on> 0<pivot | nc 1>pivot
# Ncat Http Proxy
ncat -vv --listen 3128 --proxy-type http
​
# Local Port2Port
#Local port 1521 accessible in port 10521 from everywhere
ssh -R 0.0.0.0:10521:127.0.0.1:1521 [email protected]
#Remote port 1521 accessible in port 10521 from everywhere 
ssh -R 0.0.0.0:10521:10.0.0.1:1521 [email protected] 
​
# Port2hostnet (proxychains)
# Local Port --> Compromised host(SSH) --> Wherever
ssh -f -N -D <attacker_port> <username>@<ip_compromised>
​
# Remote Port Forwarding
ssh -N -R 10.10.1.1:4455:127.0.0.1:445 [email protected]
# Socks5 with SSH
ssh -N -D 127.0.0.1:8888 [email protected]
​
#SSH Dynamic Port Forwarding
ssh -N -D 127.0.0.1:1337 [email protected] -p 8888
​
# SSH graphical connection (X)
ssh -Y -C <user>@<ip> 
# <-Y is less secure but faster than -X>
​
# HTTP tunnel
# Port forwarding
chisel server -p 8080 --host 192.168.2.105 -v
chisel client -v http://192.168.2.105:8080 127.0.0.1:33333:10.42.42.2:80
# Reverse remote port forwarding
chisel server -p 8888 --host 192.168.2.149 --reverse -v
chisel client -v http://192.168.2.149:8888 R:127.0.0.1:44444:10.42.42.2:80