Pivoting

SSH Local Port Forwarding

Forwarding one port on the client system to exactly one port accessible from the SSH pivot server. It's still confusing no matter how many times I read it.
1
# Below sets up local port 8123 forwarded thru victim to reach port 80 on target.local
2
ssh -L 8123:target.local:80 [email protected]
3
curl localhost:8123
4
attacker:8123 -> 10.0.0.1:22 -> 10.0.0.5:80
5
​
6
# Below creates a tunnel with the established private key. Creates tunnel on https://localhost:4443
7
sudo ssh -i ~/.ssh/id_rsa -X -Y -C -g -L 4443:1.1.1.1:443 [email protected]
8
9
# Below forwards a port on the victim localhost to be accessible (i.e. MySQL for localhost only)
10
ssh -L 3306:localhost:3306 [email protected]
11
mysql -u root -p
Copied!

SSH Dynamic Port Forwarding

SOCKS Proxy used to forward several ports. Can use proxychains to help non-proxy aware programs to reach the intended destination. Do not try to port scan through a SOCKS proxy, it is VERY SLOW!!
1
ssh -D 9123 [email protected]
Copied!

SSH Remote Port Forwarding

A port on the pivot system is forwarded to a local port, not commonly used.
1
ssh -R :8123:localhost:80
2
ssh -R :8000:www.google.com:80
Copied!

Meterpreter/MSF Forwarding

Can use built in mechanisms in meterpreter/msf to port forward or route easily
1
# Cmd below will create a local port on 0.0.0.0:4321 to reach target:80
2
meterpreter > portfwd add -l 4321 -r target -p 80
Copied!
Last modified 2mo ago