Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
Root domains
Subdomain Enum
Webs recon
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
Pivoting
Overview of network pivoting and tunneling [2021 updated]
Rawsec
# SSH local port forwarding
ssh [email protected]_server -L [bind_address:]local_port:destination_host:destination_hostport
ssh [email protected] -L 127.0.0.1:32000:10.42.42.2:80 -N
​
​
# SSH reverse remote port forwarding
ssh [email protected]_server -R [bind_address:]remote_port:destination_host:destination_hostport
ssh [email protected] -R 192.168.2.105:15000:127.0.0.1:9999
​
# SSH dynamic port forwarding
ssh [email protected]_server -D [bind_address:]local_port
ssh [email protected] -D 127.0.0.1:12000 -N
​
# SSHUTTLE
# You can tunnel via ssh all the traffic to a subnetwork through a host.
# Example, forwarding all the traffic going to 10.0.0.1/24
pip install sshuttle
sshuttle -r [email protected] 10.0.0.1/24
​
# MSF
meterpreter > portfwd add -l 80 -r 172.16.0.0 -p 80
​
# Netcat
nc -l -p < port to listen on> 0<pivot | nc 1>pivot
# Ncat Http Proxy
ncat -vv --listen 3128 --proxy-type http
​
# Local Port2Port
#Local port 1521 accessible in port 10521 from everywhere
ssh -R 0.0.0.0:10521:127.0.0.1:1521 [email protected]
#Remote port 1521 accessible in port 10521 from everywhere
ssh -R 0.0.0.0:10521:10.0.0.1:1521 [email protected]
​
# Port2hostnet (proxychains)
# Local Port --> Compromised host(SSH) --> Wherever
ssh -f -N -D <attacker_port> <username>@<ip_compromised>
​
# Remote Port Forwarding
ssh -N -R 10.10.1.1:4455:127.0.0.1:445 [email protected]
# Socks5 with SSH
ssh -N -D 127.0.0.1:8888 [email protected]
​
#SSH Dynamic Port Forwarding
ssh -N -D 127.0.0.1:1337 [email protected] -p 8888
​
# SSH graphical connection (X)
ssh -Y -C <user>@<ip>
# <-Y is less secure but faster than -X>
​
# HTTP tunnel
# Port forwarding
chisel server -p 8080 --host 192.168.2.105 -v
chisel client -v http://192.168.2.105:8080 127.0.0.1:33333:10.42.42.2:80
# Reverse remote port forwarding
chisel server -p 8888 --host 192.168.2.149 --reverse -v
chisel client -v http://192.168.2.149:8888 R:127.0.0.1:44444:10.42.42.2:80
Post Exploitation - Previous
Linux
Next - Post Exploitation
Windows
Last modified 4mo ago
Export as PDF
Copy link
Edit on GitHub