Tunneling and Port Forwarding

SSH over HTTP (Squid)
adon90/pentest_compilation
Compilation of commands, tips and scripts that helped me throughout Vulnhub, Hackthebox, OSCP and real scenarios - adon90/pentest_compilation
github.com
PWK Notes: Tunneling and Pivoting [Updated]
That beautiful feeling of shell on a box is such a high. But once you realize that you need to pivot through that host deeper into the network, it can take you a bit out of your comfort zone. I’ve run into this in Sans Netwars, Hackthebox, and now in PWK. In this post I’ll attempt to document the different methods I’ve used for pivoting and tunneling, including different ways to use SSH, sshuttle, and meterpreter, as well as some strategies for how to live from the host you are currently working through. Updated on 28 Jan 2018 to add references to two additional tools, Chisel and SSF.
0xdf.gitlab.io
​https://pentest.blog/explore-hidden-networks-with-double-pivoting/​
socat
socat TCP-L:9999,fork,reuseaddr PROXY:ip:127.0.0.1:22,proxyport=3128
​
ssh [email protected] -p 9999
proxytunnel
proxytunnel -p ip:3128 -d 127.0.0.1:22 -a 5555
​
ssh [email protected] -p 5555
proxychains
http ip 3128
​
proxychains ssh [email protected]
corkscrew
ssh [email protected] -t /bin/sh
TCP over HTTP
For this technique, it is necessary to be able to upload a file to a webserver.
1. reGeorgFile upload to the server correct

​
Tunnel creationpython reGeorgSocksProxy.py -p 5555 -u "http://<ip>/admin/uploads/reGeorg.jsp"
Proxychains config
​​
proxychains nmap -F -sT 127.0.0.1
proxychains mysql -u root -p -h 127.0.0.1
proxychains ssh localhost
​​
Reference: https://sensepost.com/discover/tools/reGeorg/​
2. ABBTTS Upload File
​​
Config proxychains and create the tunnelpython abpttsclient.py -c tomcat_walkthrough/config.txt -u http://ip/abptts.jsp -f 127.0.0.1:22222/127.0.0.1:22Usagessh -p 22222 [email protected]
​​
Reference: https://github.com/nccgroup/ABPTTS​
HTTP Redirectors
1. socatsocat TCP4-LISTEN:80,fork TCP4:REMOTE-HOST-IP-ADDRESS:80​
2. iptablesiptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPTiptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination REMOTEADDR:80iptables -t nat -A POSTROUTING -j MASQUERADEiptables -I FORWARD -j ACCEPTiptables -P FORWARD ACCEPTsysctl net.ipv4.ip_forward=1​
Windows Socks Proxy
In this case this is going to be used to access Burp listening on a Windows NATed VM from other PCs in the same network as the Windows Host.
From the Windows Host machine (IP: 192.168.1.206)
Import-Module .\Invoke-SocksProxy.psm1
Invoke-SocksProxy -bindPort 1234
​​​​
From other PC on the Windows Host machine network (IP: 192.168.1.69)
Configure proxychains.conf:
 socks4 	ip 1234 
proxychains socat TCP-LISTEN:8081,fork,reuseaddr TCP:ip:8080
This command ahead makes Burp (which is listening on the NATed machine) accessible from ip on port 8081
Now, configure the Proxy in the browser:
​​​​
All the traffic is logged on the NATed machine Burp.
Reference: https://github.com/p3nt4/Invoke-SocksProxy​
Man's Poor VPN
Traffic forward over SSH without needing to ssh -D <port>
sshuttle -vr [email protected] 1X0.1X.0.0/16
​​​​
My Checklist for Pivoting
Pivotind understanding
Last updated 9 months ago