# Pivoting ## SSH Local Port Forwarding Forwarding one port on the client system to exactly one port accessible from the SSH pivot server. It's still confusing no matter how many times I read it. ```bash # Below sets up local port 8123 forwarded thru victim to reach port 80 on target.local ssh -L 8123:target.local:80 pwner@victim curl localhost:8123 attacker:8123 -> 10.0.0.1:22 -> 10.0.0.5:80 # Below creates a tunnel with the established private key. Creates tunnel on https://localhost:4443 sudo ssh -i ~/.ssh/id_rsa -X -Y -C -g -L 4443:1.1.1.1:443 kali@2.2.2.2 # Below forwards a port on the victim localhost to be accessible (i.e. MySQL for localhost only) ssh -L 3306:localhost:3306 pwnt@victim mysql -u root -p ``` ## SSH Dynamic Port Forwarding SOCKS Proxy used to forward several ports. Can use `proxychains` to help non-proxy aware programs to reach the intended destination. Do not try to port scan through a SOCKS proxy, it is VERY SLOW!! ```bash ssh -D 9123 pwnt@victim ``` ## SSH Remote Port Forwarding A port on the pivot system is forwarded to a local port, not commonly used. ```bash ssh -R :8123:localhost:80 ssh -R :8000:www.google.com:80 ``` ## Meterpreter/MSF Forwarding Can use built in mechanisms in meterpreter/msf to port forward or route easily ```bash # Cmd below will create a local port on 0.0.0.0:4321 to reach target:80 meterpreter > portfwd add -l 4321 -r target -p 80 ``` ## Socat We can use socat to forward to new machines easily ``` # Below command listens locally on 8080, forwards connections to 10.0.0.1:80 socat -v tcp4-listen:8080,reuseaddr,fork TCP4:10.0.0.1:80 ``` ## IPtables Iptables can be used to forward connections if we have root level access ``` # Must enable IP forwarding sudo sysctl net.ipv4.ip_forward=1 # or do the following... sudo echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf # Now we can redirect... iptables -t nat -A PREROUTING -p tcp -dport 1234 -j DNAT --to-destination 10.0.0.1:80 ``` ## Windows Portproxy This is a lesser-known function of `netsh` where we can redirect ports on a windows box ``` # Listen on 8123 and forward connections to 10.0.0.1:80 netsh interface portproxy add v4tov4 listenport=8123 connectport=80 connectaddress=10.0.0.1 # To view existing portproxy commands: netsh interface portproxy show all ``` ## Ngrok We can use ngrok to forward our own local connections to exploited machines --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.m4lwhere.org/offensive/pivoting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.