🤹Pivoting

SSH Local Port Forwarding

Code

ssh -L 1234:localhost:3306 Ubuntu@10.129.202.64

-L: The -L command tells the SSH client to request the SSH server to forward all the data we send via the port 1234 to localhost:3306 on the Ubuntu server.

Code

netstat -antp | grep 1234

Netstat or Nmap can be used to query our local host on 1234 port to verify whether the MySQL service was forwarded.

Example

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 127.0.0.1:1234          0.0.0.0:*               LISTEN      4034/ssh            
tcp6       0      0 ::1:1234                :::*                    LISTEN      4034/ssh

PORT     STATE SERVICE VERSION
1234/tcp open  mysql   MySQL 8.0.28-0ubuntu0.20.04.3

Dynamic Port Forwarding

Code

ssh -D 9050 ubuntu@10.129.202.64

-D: Requests the SSH server to enable dynamic port forwarding.

Proxychains (`SOCKS Tunneling)`

/etc/proxychains.conf

Code

tail -4 /etc/proxychains.conf

Using Nmap with Proxychains

Code

proxychains nmap -v -sn 172.16.5.1-200

can only perform a full TCP connect scan over proxychains because proxychains cannot understand partial packets.
partial packets sent like half connect scans will return incorrect results.
host-alive checks may not work against Windows targets because the Windows Defender firewall blocks ICMP requests (traditional pings) by default.

Reference

A full TCP connect scan (A scan on an entire network range without ping will take a long time.

Using Metasploit with Proxychains

Code

proxychains msfconsole

Using rdp_scanner Module

Code

msf6 > search rdp_scanner

PreviousPivoting, Tunneling & Port Forwarding Next(MSF) Remote/Reverse Port Forwarding with SSH

Last updated 3 years ago

SSH Local Port Forwarding

Dynamic Port Forwarding

Proxychains (SOCKS Tunneling)

/etc/proxychains.conf

Using Nmap with Proxychains

Using Metasploit with Proxychains

Using rdp_scanner Module

Proxychains (`SOCKS Tunneling)`