Pivoting

Last updated 3 years ago

Was this helpful?

# SSH local port forwarding ssh user@ssh_server -L [bind_address:]local_port:destination_host:destination_hostport ssh noraj@192.168.2.105 -L 127.0.0.1:32000:10.42.42.2:80 -N # SSH reverse remote port forwarding ssh user@ssh_server -R [bind_address:]remote_port:destination_host:destination_hostport ssh noraj@192.168.2.105 -R 192.168.2.105:15000:127.0.0.1:9999 # SSH dynamic port forwarding ssh user@ssh_server -D [bind_address:]local_port ssh noraj@192.168.2.105 -D 127.0.0.1:12000 -N # SSHUTTLE # You can tunnel via ssh all the traffic to a subnetwork through a host. # Example, forwarding all the traffic going to 10.0.0.1/24 pip install sshuttle sshuttle -r user@host 10.0.0.1/24 # MSF meterpreter > portfwd add -l 80 -r 172.16.0.0 -p 80 # Netcat nc -l -p < port to listen on> 0<pivot | nc 1>pivot # Ncat Http Proxy ncat -vv --listen 3128 --proxy-type http # Local Port2Port #Local port 1521 accessible in port 10521 from everywhere ssh -R 0.0.0.0:10521:127.0.0.1:1521 user@10.0.0.1 #Remote port 1521 accessible in port 10521 from everywhere ssh -R 0.0.0.0:10521:10.0.0.1:1521 user@10.0.0.1 # Port2hostnet (proxychains) # Local Port --> Compromised host(SSH) --> Wherever ssh -f -N -D <attacker_port> <username>@<ip_compromised> # Remote Port Forwarding ssh -N -R 10.10.1.1:4455:127.0.0.1:445 attacker@10.10.1.1 # Socks5 with SSH ssh -N -D 127.0.0.1:8888 admin@10.1.1.1 #SSH Dynamic Port Forwarding ssh -N -D 127.0.0.1:1337 user@remotehost -p 8888 # SSH graphical connection (X) ssh -Y -C <user>@<ip> # <-Y is less secure but faster than -X> # HTTP tunnel # Port forwarding chisel server -p 8080 --host 192.168.2.105 -v chisel client -v http://192.168.2.105:8080 127.0.0.1:33333:10.42.42.2:80 # Reverse remote port forwarding chisel server -p 8888 --host 192.168.2.149 --reverse -v chisel client -v http://192.168.2.149:8888 R:127.0.0.1:44444:10.42.42.2:80