Tunneling and Port Forwarding

SSH over HTTP (Squid)
GitHub - adon90/pentest_compilation: Compilation of commands, tips and scripts that helped me throughout Vulnhub, Hackthebox, OSCP and real scenarios
GitHub
PWK Notes: Tunneling and Pivoting [Updated]
0xdf hacks stuff
​https://pentest.blog/explore-hidden-networks-with-double-pivoting/​
socat
socat TCP-L:9999,fork,reuseaddr PROXY:ip:127.0.0.1:22,proxyport=3128
​
ssh [email protected] -p 9999
proxytunnel
proxytunnel -p ip:3128 -d 127.0.0.1:22 -a 5555
​
ssh [email protected] -p 5555
proxychains
http ip 3128
​
proxychains ssh [email protected]
corkscrew
ssh [email protected] -t /bin/sh
TCP over HTTP
For this technique, it is necessary to be able to upload a file to a webserver.
1. reGeorgFile upload to the server correct

​
Tunnel creationpython reGeorgSocksProxy.py -p 5555 -u "http://<ip>/admin/uploads/reGeorg.jsp"
Proxychains config
​
​
proxychains nmap -F -sT 127.0.0.1
proxychains mysql -u root -p -h 127.0.0.1
proxychains ssh localhost
​
​
Reference: https://sensepost.com/discover/tools/reGeorg/​
2. ABBTTS Upload File
​
​
Config proxychains and create the tunnelpython abpttsclient.py -c tomcat_walkthrough/config.txt -u http://ip/abptts.jsp -f 127.0.0.1:22222/127.0.0.1:22Usagessh -p 22222 [email protected]
​
​
Reference: https://github.com/nccgroup/ABPTTS​
HTTP Redirectors
1. socatsocat TCP4-LISTEN:80,fork TCP4:REMOTE-HOST-IP-ADDRESS:80
​
2. iptablesiptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPTiptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination REMOTEADDR:80iptables -t nat -A POSTROUTING -j MASQUERADEiptables -I FORWARD -j ACCEPTiptables -P FORWARD ACCEPTsysctl net.ipv4.ip_forward=1
​
Windows Socks Proxy
In this case this is going to be used to access Burp listening on a Windows NATed VM from other PCs in the same network as the Windows Host.
From the Windows Host machine (IP: 192.168.1.206)
Import-Module .\Invoke-SocksProxy.psm1
Invoke-SocksProxy -bindPort 1234
​​
​​
From other PC on the Windows Host machine network (IP: 192.168.1.69)
Configure proxychains.conf:
 socks4 	ip 1234 
proxychains socat TCP-LISTEN:8081,fork,reuseaddr TCP:ip:8080
This command ahead makes Burp (which is listening on the NATed machine) accessible from ip on port 8081
Now, configure the Proxy in the browser:
​​
​​
All the traffic is logged on the NATed machine Burp.
Reference: https://github.com/p3nt4/Invoke-SocksProxy​
Man's Poor VPN
Traffic forward over SSH without needing to ssh -D <port>
sshuttle -vr [email protected] 1X0.1X.0.0/16
​​
​​
My Checklist for Pivoting
Pivotind understanding
Last modified 2yr ago