I have seen a lot of #pentesters struggle with tunneling and port-forwarding concepts. All #hackers should definitely understand these concepts for successful tests.
This thread is dedicated to Tunneling/PortForwarding tricks.
#infosec #pentest #tunneling #security #bugbounty
This thread is dedicated to Tunneling/PortForwarding tricks.
#infosec #pentest #tunneling #security #bugbounty
Local Port2Port
Open new Port in SSH Server --> Other port
ssh -R 0.0.0.0:10521:127.0.0.1:1521 user@10.0.0.1 #Local port 1521 accessible in port 10521 from everywhere
ssh -R 0.0.0.0:10521:10.0.0.1:1521 user@10.0.0.1 #Remote port 1521 accessible in port 10521 from everywhere
Open new Port in SSH Server --> Other port
ssh -R 0.0.0.0:10521:127.0.0.1:1521 user@10.0.0.1 #Local port 1521 accessible in port 10521 from everywhere
ssh -R 0.0.0.0:10521:10.0.0.1:1521 user@10.0.0.1 #Remote port 1521 accessible in port 10521 from everywhere
Port2hostnet (proxychains)
Local Port --> Compromised host(SSH) --> Wherever
ssh -f -N -D <attacker_port> <username>@<ip_compromised>
#pentest #security #infosec #bugbounty
Local Port --> Compromised host(SSH) --> Wherever
ssh -f -N -D <attacker_port> <username>@<ip_compromised>
#pentest #security #infosec #bugbounty
SSHUTTLE
You can tunnel via ssh all the traffic to a subnetwork through a host.
Example, forwarding all the traffic going to 10.0.0.1/24
pip install sshuttle
sshuttle -r user@host 10.0.0.1/24
#pentest #security #infosec #bugbounty
You can tunnel via ssh all the traffic to a subnetwork through a host.
Example, forwarding all the traffic going to 10.0.0.1/24
pip install sshuttle
sshuttle -r user@host 10.0.0.1/24
#pentest #security #infosec #bugbounty
NTLM proxy bypass
Using Rpivot
OpenVPN can also be used to bypass it, setting these options in the configuration file:
http-proxy <proxy_ip> 8080 <file_with_creds> ntlm
#pentest #security #infosec #bugbounty
Using Rpivot
OpenVPN can also be used to bypass it, setting these options in the configuration file:
http-proxy <proxy_ip> 8080 <file_with_creds> ntlm
#pentest #security #infosec #bugbounty
Port2Port using Socat
socat TCP-LISTEN:<lport>,fork TCP:<redirect_ip>:<rport> &
#pentest #security #infosec #bugbounty
socat TCP-LISTEN:<lport>,fork TCP:<redirect_ip>:<rport> &
#pentest #security #infosec #bugbounty
Meterpreter
@metasploit
meterpreter > portfwd add -l 80 -r 172.16.0.0 -p 80
#pentest #security #infosec #bugbounty
@metasploit
meterpreter > portfwd add -l 80 -r 172.16.0.0 -p 80
#pentest #security #infosec #bugbounty
Ncat Port Forwarder
mknod pivot p
nc -l -p < port to listen on> 0<pivot | nc 1>pivot
mknod pivot p
nc -l -p < port to listen on> 0<pivot | nc 1>pivot
Remote port forwarding
ssh -N -R 10.10.1.1:4455:127.0.0.1:445 attacker@10.10.1.1
Socks5 with SSH
ssh -N -D 127.0.0.1:8888 admin@10.1.1.1
ssh -N -R 10.10.1.1:4455:127.0.0.1:445 attacker@10.10.1.1
Socks5 with SSH
ssh -N -D 127.0.0.1:8888 admin@10.1.1.1
#SSH Dynamic Port Forwarding
ssh -N -D 127.0.0.1:1337 user@remotehost -p 8888
#pentest #security #infosec #bugbounty
ssh -N -D 127.0.0.1:1337 user@remotehost -p 8888
#pentest #security #infosec #bugbounty
Ncat Http Proxy
ncat -vv --listen 3128 --proxy-type http
ncat -vv --listen 3128 --proxy-type http
SSH graphical connection (X)
ssh -Y -C <user>@<ip>
<-Y is less secure but faster than -X>
#pentest #security #infosec #bugbounty
ssh -Y -C <user>@<ip>
<-Y is less secure but faster than -X>
#pentest #security #infosec #bugbounty
• • •
Missing some Tweet in this thread? You can try to
force a refresh
