Pivoting

SSH Local Port Forwarding

Forwarding one port on the client system to exactly one port accessible from the SSH pivot server. It's still confusing no matter how many times I read it.

# Below sets up local port 8123 forwarded thru victim to reach port 80 on target.local
ssh -L 8123:target.local:80 pwner@victim
    curl localhost:8123
    attacker:8123 -> 10.0.0.1:22 -> 10.0.0.5:80

# Below creates a tunnel with the established private key. Creates tunnel on https://localhost:4443
sudo ssh -i ~/.ssh/id_rsa -X -Y -C -g -L 4443:1.1.1.1:443 [email protected]
 
# Below forwards a port on the victim localhost to be accessible (i.e. MySQL for localhost only)
ssh -L 3306:localhost:3306 pwnt@victim
    mysql -u root -p

SSH Dynamic Port Forwarding

SOCKS Proxy used to forward several ports. Can use proxychains to help non-proxy aware programs to reach the intended destination. Do not try to port scan through a SOCKS proxy, it is VERY SLOW!!

ssh -D 9123 pwnt@victim

SSH Remote Port Forwarding

A port on the pivot system is forwarded to a local port, not commonly used.

Meterpreter/MSF Forwarding

Can use built in mechanisms in meterpreter/msf to port forward or route easily

Socat

We can use socat to forward to new machines easily

IPtables

Iptables can be used to forward connections if we have root level access

Windows Portproxy

This is a lesser-known function of netsh where we can redirect ports on a windows box

Ngrok

We can use ngrok to forward our own local connections to exploited machines

PreviousPost ExploitationNextCerts and Secrets

Last updated

Was this helpful?