Pivoting/Tunneling

Note: Target must have SSH running for there service

1. Create SSH Tunnel: ssh -D localhost:<local port> -f -N user@localhost -p <Target Port>
2. Setup ProxyChains. Edit the following config file (/etc/proxychains.conf)
3. Add the following line into the config: Socks5 127.0.0.1 <Local Port>
4. Run commands through the tunnel: proxychains <command>

In Kali

Source: https://github.com/sshuttle/sshuttle

• sshuttle -r [email protected] 10.2.2.0/24

Use only if you have a meterpreter shell and you need to pivot to another network.

• meterpreter > portfwd add -l 80 -r 172.21.0.0 -p 80

In Metasploit

1. use post/multi/manage/autoroute

msf5 post(multi/manage/autoroute) > options

Module options (post/multi/manage/autoroute):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CMD      autoadd          yes       Specify the autoroute command (Accepted: add, autoadd, print, delete, default)
   NETMASK  255.255.255.0    no        Netmask (IPv4 as "255.255.255.0" or CIDR as "/24"
   SESSION                   yes       The session to run this module on.
   SUBNET                    no        Subnet (IPv4, for example, 10.10.10.0)

msf5 post(multi/manage/autoroute) > 

2. set session
3. run

1 auxiliary/server/socks4a normal No Socks4a Proxy Server 2 auxiliary/server/socks5 normal No Socks5 Proxy Server 3 auxiliary/server/socks_unc normal No SOCKS Proxy UNC Path Redirection

• ncat -vv --listen 3128 --proxy-type http

1. mknod pivot p
2. nc -l -p < port to listen on> 0<pivot | nc 1>pivot

# plink in an interactive shell

plink.exe -ssh -L 0.0.0.0:4444:10.1.1.1:445 [email protected]
plink.exe -ssh -R 10.10.1.1:4444:127.0.0.1:445 [email protected]
plink.exe -ssh -D 127.0.0.1:8080 [email protected]

# plink in non interactive shell

cmd.exe /c echo y | plink.exe -ssh -l admin -pw password -R 10.10.1.1:4444:127.0.0.1:445 [email protected]

netsh local port forwarding:

netsh interface portproxy add v4tov4 listenaddress=10.1.1.1 listenport:4444 connectaddress:10.1.1.1 connectport:3306
netsh advfirewall firewall add rule name="4444_to_3306" protocol=TCP dir=in localip=127.0.0.1 localport=3306 action=allow

From https://werebug.com/pentest-cheatsheet/#port-forwarding

apt install cntlm
cntlm -u [email protected] -I proxy
export http://127.0.0.1:3128, export https://127.0.0.1:3128

3. Accessing with browser:

chromium --proxy-server="http://127.0.0.1:3128"

netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=9000 connectaddress=192.168.0.10 connectport=80
netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000

Windows 10 has SSH (Thanks WSL!) plink.exe (In Kali)

ssh -N -D 127.0.0.1:1337 user@remotehost -p 22222

• The -D means dynamic. The 1337 is the port you proxy traffic through. With this you can setup a Socks proxy on your local machine to send traffic to port 1337, thus said traffic will be sent through that port, and then through the remote host. -N is optional, it means do not execute a remote command. Specifying 127.0.0.1 is also optional. It'll default to 127.0.0.1.

Via Putty:

Local port forwarding

ssh -N -L 0.0.0.0:4455:10.1.1.1:445 user@remotehost

or

ssh -L 8080:localhost:8080 user@remotehost

The -L stands for local. First 8080 is port of your machine, 2nd 8080 is port of remote machine (doesn't have to be the same port). After successful ssh connection, if you request localhost:8080 (like from your browser, if you're trying to access a localling listening web server on the remote machine) that request will be send through that ssh tunnel to that remote host and you will be able to connect to that remote service. In other words, what this tunnel does is whatever request you sent to your localhost it will be forwarded to remote localhost.

Remote port forwarding

• ssh -N -R 10.10.1.1:4455:127.0.0.1:445 [email protected]

Socks5 with SSH

• ssh -N -D 127.0.0.1:8888 [email protected]

• ssf: https://github.com/securesocketfunneling/ssf
• rpivot: https://github.com/klsecservices/rpivot
• hans (ICMP Tunneling): http://code.gerade.org/hans/
• Iodine (ICMP Tunneling over DNS): https://code.kryo.se/iodine/
• Dnscat2: https://github.com/iagox86/dnscat2
• Chisel: https://github.com/jpillora/chisel
• httptunnel: In Kali apt install httptunnel

• https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html
• https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/