xct's notes
Search…
Pivoting

Windows

Native

1
netsh advfirewall firewall add rule name="<rulename>" dir=in action=allow protocol=TCP localport=8080
2
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=<addr>
Copied!

SSF

Server:
1
./ssfd -p 8080
Copied!
Client:
1
./ssf -L 9000:127.0.0.1:80 -p 8080 127.0.0.1
2
./ssf -R 9000:127.0.0.1:80 -p 8080 127.0.0.1
Copied!

Linux

Static port forwarding (single port, execute on attacker)

1
ssh <user>@<target> -L 127.0.0.1:8888:<targetip>:<targetport>
Copied!

Dynamic Port Forwarding (execute on attacker)

1
ssh -D <localport> [email protected]
Copied!

Remote forwarding (execute on victim)

1
ssh -r -R <lport>:<ip>:<rport> [email protected]
Copied!

Jump Host

Chisel

Forward Port 8089, listening on a localhost on the victim, out to the attacker:
1
victim> ./chisel server -p 5000
2
attacker> ./chisel client 192.168.127.201:5000 8089
Copied!

Metasploit

Remote Forward (opens 6443 on remote and forwards to local 192.168.1.1:443):
1
portfwd add -R -p 6443 -l 443 -L 192.168.1.1
Copied!
Note: Chaining multiple forwards often leads to Metasploit timeouts/crashes. In this case its best to just forward a single hop via metasploit and another technique for the next hop (e.g. default windows forwarding).

MSSQL

Get a session on a box that can reach the server, then run autoroute -s addr/subnet alternativly you can add these manually via route add addr/subnet <session> Start the socks4a proxy module. Now we can use socat to make the server locally available:
1
proxychains socat TCP4-Listen:1433,fork TCP:<>:1433
Copied!
Now a windows machine in the same network can connect via windows authentication:
1
C:\Program Files (x86)\Microsoft SQL Server Management Studio 18\Common7\IDE>runas /netonly /user:<>\<> "Ssms.exe -S <local box>"
Copied!
An alternative to autoroute is to use this syntax outside of any sessions:
1
route add <>/<> <session id>
Copied!
Last modified 1yr ago
Copy link