Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
Root domains
Subdomain Enum
Webs recon
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
Pivoting
Overview of network pivoting and tunneling [2021 updated]
Rawsec
1
# SSH local port forwarding
2
ssh [email protected]_server -L [bind_address:]local_port:destination_host:destination_hostport
3
ssh [email protected] -L 127.0.0.1:32000:10.42.42.2:80 -N
4
​
5
​
6
# SSH reverse remote port forwarding
7
ssh [email protected]_server -R [bind_address:]remote_port:destination_host:destination_hostport
8
ssh [email protected] -R 192.168.2.105:15000:127.0.0.1:9999
9
​
10
# SSH dynamic port forwarding
11
ssh [email protected]_server -D [bind_address:]local_port
12
ssh [email protected] -D 127.0.0.1:12000 -N
13
​
14
# SSHUTTLE
15
# You can tunnel via ssh all the traffic to a subnetwork through a host.
16
# Example, forwarding all the traffic going to 10.0.0.1/24
17
pip install sshuttle
18
sshuttle -r [email protected] 10.0.0.1/24
19
​
20
# MSF
21
meterpreter > portfwd add -l 80 -r 172.16.0.0 -p 80
22
​
23
# Netcat
24
nc -l -p < port to listen on> 0<pivot | nc 1>pivot
25
# Ncat Http Proxy
26
ncat -vv --listen 3128 --proxy-type http
27
​
28
# Local Port2Port
29
#Local port 1521 accessible in port 10521 from everywhere
30
ssh -R 0.0.0.0:10521:127.0.0.1:1521 [email protected]
31
#Remote port 1521 accessible in port 10521 from everywhere
32
ssh -R 0.0.0.0:10521:10.0.0.1:1521 [email protected]
33
​
34
# Port2hostnet (proxychains)
35
# Local Port --> Compromised host(SSH) --> Wherever
36
ssh -f -N -D <attacker_port> <username>@<ip_compromised>
37
​
38
# Remote Port Forwarding
39
ssh -N -R 10.10.1.1:4455:127.0.0.1:445 [email protected]
40
# Socks5 with SSH
41
ssh -N -D 127.0.0.1:8888 [email protected]
42
​
43
#SSH Dynamic Port Forwarding
44
ssh -N -D 127.0.0.1:1337 [email protected] -p 8888
45
​
46
# SSH graphical connection (X)
47
ssh -Y -C <user>@<ip>
48
# <-Y is less secure but faster than -X>
49
​
50
# HTTP tunnel
51
# Port forwarding
52
chisel server -p 8080 --host 192.168.2.105 -v
53
chisel client -v http://192.168.2.105:8080 127.0.0.1:33333:10.42.42.2:80
54
# Reverse remote port forwarding
55
chisel server -p 8888 --host 192.168.2.149 --reverse -v
56
chisel client -v http://192.168.2.149:8888 R:127.0.0.1:44444:10.42.42.2:80
Copied!
Post Exploitation - Previous
Linux
Next - Post Exploitation
Windows
Last modified 1mo ago
Export as PDF
Copy link
Edit on GitHub