Pivot

RINETD

Install first:

apt install rinetd

Modify config file:

cat /etc/rinetd.conf

# bindaddress   bindport   connectaddress   connectport
0.0.0.0    80    216.58.207.142    80

sudo service rinetd restart

SSH Tunneling

Access Remote's local port

[Kali] <======> [Linux] 10.10.10.10 192.168.10.10 [127.0.0.1:5901 LISTEN]

From Kali:

ssh user@192.168.10.10 -L 5901:127.0.0.1:5901 -N

Local Port Forwarding

ssh -N -L [bind_address:]port:host:hostport [username@address]

"Bridging"

Scenario:

[KALI] <===> [Debian] <===> [Windows Server] 10.10.10.10 192.168.10.10 172.16.10.10 ---------------------X--------------------------------------> tcp/445 --------------V---------> tcp/445 -----------V-----------------> tcp/22

Then we can use SSH port forward.

From Kali:

ssh -N -L 0.0.0.0:4445:172.16.10.10:445 root@192.168.10.10

Remote Port Forwarding

Scenario:

[KALI] [Debian] 10.10.10.10 172.16.10.10 (Compromised) ----------X----------> tcp/22 ----------X----------> tcp/3306 ANY <------V--------------

From Debian:

ssh -N -R 10.10.10.10:2221:127.0.0.1:3306 kali@10.10.10.10

Now on Kali, when traffic goes to tcp/2221, it will go to Debian's tcp/3306

SSH Dynamic Port Forwarding

Scenario:

[KALI] <===> [Debian] <===> [Windows Server] 10.10.10.10 192.168.10.10 172.16.10.10 ---------------------X--------------------------------------> tcp/445 --------------V---------> tcp/445 --------------V---------> tcp/any -----------V-----------------> tcp/22

Then we can use SSH Dynamic Port Forward.

From Kali:

ssh -N -D 127.0.0.1:8080 student@192.168.10.10

For this to work, additionally we have to run proxychain. First configure /etc/proxychains.conf:

...
socks4 127.0.0.1 8080

Then we can do on Kali:

proxychains --top-ports -sT -Pn 172.16.10.0/24

(Win) Plink.exe

From Windows:

plink.exe -ssh -l kali -pw toor -R <kali_ip>:1234:127.0.0.1:3306 <kali_ip>

Then from Kali, we can touch the Windows's 3306 via localhost:1234.

Bypass Deep Inspection

Deep inspection means, even if you use tunneling method to connect (e.g. HTTP via SSH tunnel), the firewall can still be able to determine that the traffic protocol is HTTP instead of SSH.

Scenario:

  1. Shell on an internal Linux Server (HTTP-based via tcp/443)

  2. Local port forward bounding to tcp/8888, which will forward all connections to WinSer tcp/3389

PreviousPivoting via ProxyNextRelated Windows Command

Last updated