🤹Pivoting

SSH Local Port Forwarding

Code

ssh -L 1234:localhost:3306 Ubuntu@10.129.202.64

• -L: The -L command tells the SSH client to request the SSH server to forward all the data we send via the port 1234 to localhost:3306 on the Ubuntu server.

Code

netstat -antp | grep 1234

• Netstat or Nmap can be used to query our local host on 1234 port to verify whether the MySQL service was forwarded.

Example

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 127.0.0.1:1234          0.0.0.0:*               LISTEN      4034/ssh            
tcp6       0      0 ::1:1234                :::*                    LISTEN      4034/ssh   

PORT     STATE SERVICE VERSION
1234/tcp open  mysql   MySQL 8.0.28-0ubuntu0.20.04.3

Dynamic Port Forwarding

Code

ssh -D 9050 ubuntu@10.129.202.64

• -D: Requests the SSH server to enable dynamic port forwarding.

Proxychains (SOCKS Tunneling)

/etc/proxychains.conf

Code

tail -4 /etc/proxychains.conf

Using Nmap with Proxychains

Code

proxychains nmap -v -sn 172.16.5.1-200

• can only perform a full TCP connect scan over proxychains because proxychains cannot understand partial packets.

• partial packets sent like half connect scans will return incorrect results.

• host-alive checks may not work against Windows targets because the Windows Defender firewall blocks ICMP requests (traditional pings) by default.

Reference

• A full TCP connect scan (A scan on an entire network range without ping will take a long time.

Using Metasploit with Proxychains

Code

proxychains msfconsole

Using rdp_scanner Module

Code

msf6 > search rdp_scanner